Automated Malware Analysis Report for Setup.Exe

ID: 156160 Sample Name: Setup.exe Cookbook: default.jbs Time: 04:51:37 Date: 25/07/2019 Version: 26.0.0 Aquamarine Table of Contents

Table of Contents 2 Analysis Report Setup.exe 4 Overview 4 General Information 4 Detection 4 Confidence 5 Classification 5 Analysis Advice 5 Mitre Att&ck Matrix 6 Signature Overview 6 AV Detection: 6 Networking: 6 System Summary: 6 Data Obfuscation: 7 Persistence and Installation Behavior: 7 Hooking and other Techniques for Hiding and Protection: 7 Malware Analysis System Evasion: 7 Anti Debugging: 7 Language, Device and Operating System Detection: 7 Lowering of HIPS / PFW / Operating System Security Settings: 8 Behavior Graph 8 Simulations 8 Behavior and APIs 8 Antivirus and Machine Learning Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 9 Domains 9 URLs 9 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 9 Unpacked PEs 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 9 JA3 Fingerprints 9 Dropped Files 9 Screenshots 10 Thumbnails 10 Startup 10 Created / dropped Files 11 Domains and IPs 12 Contacted Domains 12 URLs from Memory and Binaries 12 Contacted IPs 12 Static File Info 12 General 12 File Icon 13 Static PE Info 13 General 13 Authenticode Signature 13 Entrypoint Preview 13 Rich Headers 15 Data Directories 15 Sections 15

Copyright Joe Security LLC 2019 Page 2 of 74 Resources 15 Imports 15 Version Infos 16 Possible Origin 16 Network Behavior 17 Code Manipulations 17 Statistics 17 Behavior 17 System Behavior 17 Analysis Process: Setup.exe PID: 2612 Parent PID: 4808 17 General 17 File Activities 17 File Read 17 Analysis Process: Setup.exe PID: 4520 Parent PID: 2612 18 General 18 File Activities 18 File Created 18 File Written 26 File Read 71 Registry Activities 72 Key Created 72 Key Value Created 72 Disassembly 74 Code Analysis 74

Overview

General Information

Joe Sandbox Version: 26.0.0 Aquamarine Analysis ID: 156160 Start date: 25.07.2019 Start time: 04:51:37 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 4m 46s Hypervisor based Inspection enabled: false Report type: light Sample file name: Setup.exe Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 10 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis stop reason: Timeout Detection: SUS Classification: sus39.evad.winEXE@3/4@0/0 EGA Information: Failed HDC Information: Failed HCA Information: Failed Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .exe Warnings: Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, sc.exe, dllhost.exe, WMIADAP.exe, conhost.exe, CompatTelRunner.exe Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtSetInformationFile calls found.

Detection

Strategy Score Range Reporting Whitelisted Detection

Threshold 39 0 - 100 false

Strategy Score Range Further Analysis Required? Confidence

Threshold 2 0 - 5 true

Classification

Ransomware

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Analysis Advice

Copyright Joe Security LLC 2019 Page 5 of 74 Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Mitre Att&ck Matrix

Privilege Defense Credential Lateral Command and Initial Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Valid Accounts Windows Winlogon Port Monitors Software Credential Query Registry 1 Application Data from Local Data Data Remote Helper DLL Packing 1 Dumping Deployment System Compressed Obfuscation Management Software Replication Service Port Monitors Accessibility DLL Side- Network Process Remote Data from Exfiltration Over Fallback Through Execution Features Loading 1 Sniffing Discovery 1 Services Removable Other Network Channels Removable Media Medium Media Drive-by Windows Accessibility Path Rootkit Input Capture Application Windows Data from Automated Custom Compromise Management Features Interception Window Remote Network Exfiltration Cryptographic Instrumentation Discovery 1 Management Shared Drive Protocol Exploit Public- Scheduled Task System DLL Search Obfuscated Credentials Security Software Logon Scripts Input Capture Data Encrypted Multiband Facing Firmware Order Hijacking Files or in Files Discovery 1 2 1 Communication Application Information Spearphishing Command-Line Shortcut File System Masquerading Account System Shared Data Staged Scheduled Standard Link Interface Modification Permissions Manipulation Information Webroot Transfer Cryptographic Weakness Discovery 1 1 Protocol

Signature Overview

• AV Detection • Networking • System Summary • Data Obfuscation • Persistence and Installation Behavior • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • Language, Device and Operating System Detection • Lowering of HIPS / PFW / Operating System Security Settings

Click to jump to signature section

AV Detection:

Antivirus or Machine Learning detection for dropped file

Antivirus or Machine Learning detection for unpacked file

Networking:

Found strings which match to known social media urls

Urls found in memory or binary data

System Summary:

Creates mutexes

PE file contains strange resources

Tries to load missing DLLs

Classification label

Creates temporary files

PE file has an executable .text section and no other executable section

Parts of this applications are using the .NET runtime (Probably coded in C#)

Reads software policies

Sample might require command line arguments

Spawns processes

Uses an in-process (OLE) Automation server

Found graphical window changes (likely an installer)

Uses Microsoft Silverlight

Checks if Microsoft Office is installed

PE file has a valid certificate

Submission file is bigger than most known malware samples

PE file contains a mix of data directories often seen in goodware

Contains modern PE file flags such as dynamic base (ASLR) or NX

PE file contains a debug data directory

Binary contains paths to debug symbols

PE file contains a valid data directory to section mapping

Data Obfuscation:

PE file contains an invalid checksum

PE file contains sections with non-standard names

Persistence and Installation Behavior:

Drops PE files

Creates install or setup log file

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Queries a list of all running processes

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Enables debug privileges

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Queries the cryptographic machine GUID

AV process strings found (often used to terminate AV products)

Behavior Graph

Hide Legend Behavior Graph Legend: ID: 156160 Process

Sample: Setup.exe Signature Startdate: 25/07/2019 Created File Architecture: WINDOWS DNS/IP Info Score: 39 Is Dropped

Is Windows Process

Number of created Registry Values Tries to detect sandboxes Antivirus or Machine Number of created Files and other dynamic analysis Learning detection for started tools (process name dropped file Visual Basic or module or function) Delphi

Java

.Net C# or VB.NET Setup.exe C, C++ or other language

Is malicious

Internet

started

Setup.exe

38 138

dropped

C:\Users\user\AppData\Local\...\mbahost.dll, PE32

Simulations

Behavior and APIs

Time Type Description 04:52:38 API Interceptor 3x Sleep call for process: Setup.exe modified

Antivirus and Machine Learning Detection

Initial Sample

Source Detection Scanner Label Link Setup.exe 0% virustotal Browse

Dropped Files

Source Detection Scanner Label Link C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29f5953d68e8}\.ba1\mbahost.dll 100% Avira WORM/Lodbak.Gen C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29f5953d68e8}\.ba1\mbahost.dll 100% Joe Sandbox ML Copyright Joe Security LLC 2019 Page 8 of 74 Unpacked PE Files

Source Detection Scanner Label Link Download 2.1.Setup.exe.b50000.0.unpack 100% Joe Sandbox ML Download File 0.1.Setup.exe.b50000.0.unpack 100% Joe Sandbox ML Download File

Domains

No Antivirus matches

URLs

Source Detection Scanner Label Link downloadcenter.commvault.com__cv__%s%s1.1.3__gda__%s%s%c%s=%lu_%s 0% Avira URL Cloud safe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Startup

System is w10x64 Setup.exe (PID: 2612 cmdline: 'C:\Users\user\Desktop\Setup.exe' MD5: 9C58BAC65013AF9DB388BCDD3CCA831E) Setup.exe (PID: 4520 cmdline: 'C:\Users\user\Desktop\Setup.exe' -burn.unelevated BurnPipe.{5B24ECE1-7AA3-4B09-9F16-D2569B9C6335} {31AC7A97-3AA5-40B9-99E2- 217A539112EA} 2612 MD5: 9C58BAC65013AF9DB388BCDD3CCA831E) cleanup

C:\ProgramData\Commvault Systems\Galaxy\LogFiles\2019-07-25 04-53-08\Install.log Process: C:\Users\user\Desktop\Setup.exe File Type: UTF-8 Unicode (with BOM) text, with CRLF line terminators Size (bytes): 583 Entropy (8bit): 4.61397655631052 Encrypted: false MD5: 0F6CD71BD425B8FE648F6C42ADA94DA6 SHA1: DF5136C33482855A3929DF5D18D0EC62EC7A24A4 SHA-256: E9FF763C23183821D082A52DFE1A4A5DFD52F9B1E56F0418D2B198E2B7995092 SHA-512: 7DD89BD5F82CA331D3337AE8E2274E78E2A8A3E849F99784FB57B4FC9843E45C49C3B58411BF48525911482E0B992A2983E36BD0C3F0142F464A77DC3EDA44C0 Malicious: false Reputation: low Preview: .*******************************************************************.. Machine .: 302494.. Module .: Install.log.. Commserver .: .. Product Version.: 11.80.140.0.. OS Version .: Microsoft Windows NT 6.3.9600.0.. Date .: 7/25/2019..*******************************************************************..4520 4 07/25 04:53:09 ### ManagedLogger::SetCLRThreadPoolMaxThreads - CLR ThreadPool's max threads is already set by another thread in the process. maxWorkerThreads = [1000], maxIOThreads = [1000], PID = [4520], ProcessName = [Setup]...

C:\ProgramData\Commvault Systems\Galaxy\LogFiles\Install.log Process: C:\Users\user\Desktop\Setup.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 2285 Entropy (8bit): 4.798815237914724 Encrypted: false MD5: 22CB4474370603D4C027387F68A71DF9 SHA1: B392F143255730D39194E58D2AAA929364407846 SHA-256: B0A2AFD809F3C9BC21720EFA258E54700F63DA6C294A898413BC6CB42C1BE84C SHA-512: E19306CC276AE312563FCD1F8CE2ADF707B57074A90BE6B59A7438A527FCA8801A7288A76E305ADC550BA373BD5CAF55AFA27FDEE79337AC6AE8084649829CE 7 Malicious: false Reputation: low Preview: 07/25/2019 04:53:08.Culture name is identified as: en-US..07/25/2019 04:53:08.Application Culture is set to en-US..07/25/2019 04:53:08.Loading the ResourceFile InstallCommon.Resources.InstallLocale.resources..07/25/2019 04:53:08.The setup is launched by user-PC\user with Administrator privilege..4520 4 07/25 04:53:09 ### ### ### - Instance log path: C:\ProgramData\Commvault Systems\Galaxy\LogFiles\2019-07-25 04-53-08..4520 4 07/25 04:53:09 ### ### ### - ############ ##############################################################..4520 4 07/25 04:53:09 ### ### ### - ## Installation STARTED ##..4520 4 07/25 04:53:09 ### ### ### - ##########################################################################..4520 4 07/25 04:53:09 ### ### ### - BinaryInfo file is not present at [C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29f5953d68e8}\.ba1\BinaryInfo.xml] ..4520 4 07/25 04: 53:09 ### ### ### - Command

C:\Users\user\AppData\Local\Temp\Commvault_ContentStore_20190725045308.log Process: C:\Users\user\Desktop\Setup.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 1149 Entropy (8bit): 5.399738557221108 Encrypted: false MD5: 8AA365DB67B66FD84765473D6D6EBE64 SHA1: E47E1CCF4A0C0DA4E20F762CF11F70E5E52C26CD SHA-256: CB19C357E9A12DFD1B78ACB8166091592DB932C8CA6A40F5746AB60224EEFB83 SHA-512: A613C092A1BC0F30673B1729D944BB04492ABF27AA4F41DC79E2746592DFD2E0D3C47393D5A206A4338E9301D83207DC7D67E23D75DA9C74D3EE7C1C8A6CD8B 2 Malicious: false Reputation: low Preview: [11A8:09C8][2019-07-25T04:52:51]i001: Burn v3.8.1128.0, Windows v6.3 (Build 9600: Service Pack 0), path: C:\Users\user\Desktop\Setup.exe, cmdline: '-burn.unelev ated BurnPipe.{5B24ECE1-7AA3-4B09-9F16-D2569B9C6335} {31AC7A97-3AA5-40B9-99E2-217A539112EA} 2612'..[11A8:09C8][2019-07-25T04:52:51]i000: Initializing string variable 'CommvaultPackage_InstallCondition' to value 'yes'..[11A8:09C8][2019-07-25T04:52:51]i000: Initializing string variable 'InstallSQLEnterprise' to value 'yes'.. [11A8:09C8][2019-07-25T04:53:08]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\user\AppData\Local\Temp\Commvault_ContentStore_2019072504530 8.log'..[11A8:09C8][2019-07-25T04:53:08]i000: Setting string variable 'WixBundleOriginalSource' to value 'C:\Users\user\Desktop\Setup.exe'..[11A8:09C8][2019-07- 25T04:53:08]i000: Setting string variable 'WixBundleName' to value 'Commvault ContentStore'..[11A8:09C8][2019-07-25T04:53:08]i000: Loading managed bootstrapper application...[11A8:09C8][2019-07-25T

C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29f5953d68e8}\.ba1\mbahost.dll

Process: C:\Users\user\Desktop\Setup.exe File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Size (bytes): 44201937 Entropy (8bit): 6.601345640152776 Encrypted: false MD5: 8495F4C95F6619775915ADED8D08431E SHA1: C7E52F3D73A3E2F3E4626D55F5E437A3C8BA5274 SHA-256: 9705DB6801D4363BAF1C639FDAA89DC5C5494BF9767F4D8113FB3B996D7EDBFB Copyright Joe Security LLC 2019 Page 11 of 74 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29f5953d68e8}\.ba1\mbahost.dll

SHA-512: B3E2BE19C8DE6941207B76FFA8E26BBFE152C5C28092E33AF8D38E734CFC300D7187BAD4E1CE4C3767C3D659D9285FE12EDAB3D711F58DCD20F8F73C620B63 7B Malicious: true Antivirus: Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Reputation: low Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... 4.q.p...p...p....O.i....O.|....O.....y.....p...... N.}....N.q....N.q...p...q....N .q...Richp...... PE..L....O.R...... !...... 5...... @...... t...d....P...... `..,...... 8...... @...... p...... text...... `.rdata...S...... T...... @[email protected]....,...... @....rsrc...... P...... @[email protected]...... `...... @..B......

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation www.codeplex.com/prism mbahost.dll.2.dr false high aia.entrust.net/ovcs1-chain256.cer01 mbahost.dll.2.dr false high mbahost.dll.2.dr false Avira URL Cloud: safe low downloadcenter.commvault.com__cv__%s%s1.1.3__gda__% s%s%c%s=%lu_%s www.codeplex.com/CompositeWPF mbahost.dll.2.dr false high crl.entrust.net/g2ca.crl0; mbahost.dll.2.dr false high ocsp.entrust.net05 mbahost.dll.2.dr false high compositewpf.codeplex.com/ mbahost.dll.2.dr false high ocsp.entrust.net02 mbahost.dll.2.dr false high crl.entrust.net/ovcs1.crl0A mbahost.dll.2.dr false high www.apps.ietf.org/rfc/rfc3447.html#sec-9.2 mbahost.dll.2.dr false high ocsp.entrust.net00 mbahost.dll.2.dr false high crl.entrust.net/2048ca.crl0; mbahost.dll.2.dr false high www.entrust.net/rpa0 mbahost.dll.2.dr false high ocsp.entrust.net0A mbahost.dll.2.dr false high crl.entrust.net/level1d.crl03 mbahost.dll.2.dr false high mbahost.dll.2.dr false high www.codeplex.com/prism#Microsoft.Practices.Prism.ViewMod el www.openssl.org/support/faq.html mbahost.dll.2.dr false high

Contacted IPs

No contacted IP infos

Static File Info

General File type: PE32 executable (GUI) Intel 80386, for MS Windows Entropy (8bit): 7.996384689391448 TrID: Win32 Executable (generic) a (10002005/4) 99.94% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Java Script embedded in Visual Basic Script (1500/0) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00% File name: Setup.exe File size: 17839920

Copyright Joe Security LLC 2019 Page 12 of 74 General MD5: 9c58bac65013af9db388bcdd3cca831e SHA1: f4c63086d073334ab258b85cb853e5fbf45f2922 SHA256: 89e4fa2a77fabd996d0b06389f436a0fd550005eccc0b1c 37edd00ff8858e5b4 SHA512: dc0cd49bb1be3f96e5e8917bacc7b6f9c3c2c6064137509 5f1f0b0d737fff2b28380763e6fdc13986f15769b8cfd54be 42e2a4bc4ac0f725f7e3c2bb0e3851d1 SSDEEP: 393216:31ODbFhQ+VG+42svcpuLcphElAmx8jrsQXQAj a2dhYBPkD:3CDQv+vr6cpClnysQXQmdhgPkD File Content Preview: MZ...... @...... !..L.!Th is program cannot be run in DOS mode....$...... U..e... e...e.d1....e.d1....e.d1....e...... e...... e...d...e.70....e.70.... e...... e.70....e.Rich..e...... PE..L..

File Icon

Icon Hash: 0c96162f25650523

Static PE Info

General Entrypoint: 0x4267a5 Entrypoint Section: .text Digitally signed: true Imagebase: 0x400000 Subsystem: windows gui Image File Characteristics: 32BIT_MACHINE, EXECUTABLE_IMAGE DLL Characteristics: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT Time Stamp: 0x52974FC4 [Thu Nov 28 14:14:28 2013 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 5 OS Version Minor: 1 File Version Major: 5 File Version Minor: 1 Subsystem Version Major: 5 Subsystem Version Minor: 1 Import Hash: 67715e556e3a78ea78c756db800102a3

Authenticode Signature

Signature Valid: true Signature Issuer: CN=Entrust Code Signing CA - OVCS1, OU="(c) 2015 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US Signature Validation Error: The operation completed successfully Error Number: 0 Not Before, Not After 10/30/2018 9:32:20 AM 12/5/2021 9:02:18 AM Subject Chain CN="Commvault Systems, Inc.", O="Commvault Systems, Inc.", L=Tinton Falls, S=New Jersey, C=US Version: 3 Thumbprint MD5: 554F7FF4080A39E8A9A23D446BDC0E5A Thumbprint SHA-1: 26E375FB12C2EACFA8CAEAC9FB86E7E11F9B8899 Thumbprint SHA-256: B60D4202913F26865F0B19BCA44B71F8B715EA36A7DB8313A6BB3573A2F8050A Serial: 00FC9CA28316F9B55800000000556679D0

Entrypoint Preview

Instruction call 00007FDB786CE68Eh jmp 00007FDB786CAB44h cmp ecx, dword ptr [004560D0h] jne 00007FDB786CACC4h rep ret jmp 00007FDB786CED89h

Copyright Joe Security LLC 2019 Page 13 of 74 Instruction int3 int3 mov edx, dword ptr [esp+0Ch] mov ecx, dword ptr [esp+04h] test edx, edx je 00007FDB786CAD41h movzx eax, byte ptr [esp+08h] bt dword ptr [00457C44h], 01h jnc 00007FDB786CACCFh mov ecx, dword ptr [esp+0Ch] push edi mov edi, dword ptr [esp+08h] rep stosb jmp 00007FDB786CAD1Fh mov edx, dword ptr [esp+0Ch] cmp edx, 00000080h jl 00007FDB786CACD0h bt dword ptr [00456180h], 01h jc 00007FDB786CEE3Fh push edi mov edi, ecx cmp edx, 04h jc 00007FDB786CACF3h neg ecx and ecx, 03h je 00007FDB786CACCEh sub edx, ecx mov byte ptr [edi], al add edi, 01h sub ecx, 01h jne 00007FDB786CACB8h mov ecx, eax shl eax, 08h add eax, ecx mov ecx, eax shl eax, 10h add eax, ecx mov ecx, edx and edx, 03h shr ecx, 02h je 00007FDB786CACC8h rep stosd test edx, edx je 00007FDB786CACCCh mov byte ptr [edi], al add edi, 01h sub edx, 01h jne 00007FDB786CACB8h mov eax, dword ptr [esp+08h] pop edi ret mov eax, dword ptr [esp+04h] ret push edi push esi mov esi, dword ptr [esp+10h] mov ecx, dword ptr [esp+14h] mov edi, dword ptr [esp+0Ch] mov eax, ecx mov edx, ecx add eax, esi cmp edi, esi jbe 00007FDB786CACCAh cmp edi, eax

Rich Headers

Programming Language: [RES] VS2012 UPD1 build 51106 [C++] VS2012 UPD1 build 51106 [ C ] VS2008 SP1 build 30729 [IMP] VS2008 SP1 build 30729 [LNK] VS2012 UPD1 build 51106

Data Directories

Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0x54364 0x12c .rdata IMAGE_DIRECTORY_ENTRY_RESOURCE 0x5c000 0xa3f8 .rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 IMAGE_DIRECTORY_ENTRY_SECURITY 0x1101d80 0x19b0 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x67000 0x3660 .reloc IMAGE_DIRECTORY_ENTRY_DEBUG 0x3b4f0 0x38 .rdata IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x53cd0 0x18 .rdata IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x53c88 0x40 .rdata IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x3b000 0x474 .rdata IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0

Sections

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x1000 0x395c4 0x39600 False 0.534764773965 data 6.54250074121 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .rdata 0x3b000 0x1ac6e 0x1ae00 False 0.293968023256 data 4.98279190668 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ .data 0x56000 0x3074 0x1000 False 0.220947265625 data 2.65734870488 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .wixburn 0x5a000 0x38 0x200 False 0.09765625 data 0.535453628939 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ .tls 0x5b000 0x9 0x200 False 0.02734375 data 0.0 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .rsrc 0x5c000 0xa3f8 0xa400 False 0.59844226372 data 6.69317084905 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ .reloc 0x67000 0x48e2 0x4a00 False 0.59375 data 5.6854252554 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_DISCARDABL E, IMAGE_SCN_MEM_READ

Resources

Name RVA Size Type Language Country PNG 0x5c258 0x31a1 PNG image data, 256 x 256, 8-bit/color RGBA, non- English United States interlaced RT_ICON 0x5f3fc 0x2668 data English United States RT_ICON 0x61a64 0x1128 data English United States RT_ICON 0x62b8c 0x9b8 data English United States RT_ICON 0x63544 0x468 GLS_BINARY_LSB_FIRST English United States RT_MESSAGETABLE 0x639ac 0x21d4 data English United States RT_GROUP_ICON 0x65b80 0x4c data English United States RT_VERSION 0x65bcc 0x314 data English United States RT_MANIFEST 0x65ee0 0x518 ASCII text, with CRLF line terminators English United States

Imports

DLL Import

Copyright Joe Security LLC 2019 Page 15 of 74 DLL Import ADVAPI32.dll OpenProcessToken, AdjustTokenPrivileges, LookupPrivilegeValueW, InitiateSystemShutdownExW, GetUserNameW, RegCloseKey, RegQueryValueExW, RegDeleteValueW, ConvertStringSecurityDescriptorToSecurityDescriptorW, DecryptFileW, CreateWellKnownSid, InitializeAcl, SetEntriesInAclW, ChangeServiceConfigW, CloseServiceHandle, OpenSCManagerW, OpenServiceW, QueryServiceStatus, CryptDestroyHash, CryptHashData, CryptCreateHash, CryptGetHashParam, CryptReleaseContext, CryptAcquireContextW, SetNamedSecurityInfoW, CheckTokenMembership, AllocateAndInitializeSid, SetEntriesInAclA, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, RegSetValueExW, RegQueryInfoKeyW, RegEnumValueW, RegEnumKeyExW, RegDeleteKeyW, RegCreateKeyExW, GetTokenInformation, RegOpenKeyExW, QueryServiceConfigW USER32.dll GetMessageW, PeekMessageW, PostMessageW, SetWindowLongW, PostQuitMessage, DispatchMessageW, DefWindowProcW, RegisterClassW, UnregisterClassW, CreateWindowExW, LoadCursorW, MessageBoxW, LoadBitmapW, TranslateMessage, GetWindowLongW, IsWindow, MsgWaitForMultipleObjects, WaitForInputIdle, PostThreadMessageW, GetMonitorInfoW, MonitorFromPoint, IsDialogMessageW, GetCursorPos OLEAUT32.dll SysFreeString, SysAllocString, VariantInit, VariantClear GDI32.dll GetObjectW, StretchBlt, SelectObject, DeleteObject, CreateCompatibleDC, DeleteDC SHELL32.dll ShellExecuteExW, SHGetFolderPathW, CommandLineToArgvW ole32.dll CoTaskMemFree, CoInitializeSecurity, CLSIDFromProgID, CoCreateInstance, StringFromGUID2, CoInitialize, CoInitializeEx, CoUninitialize KERNEL32.dll GetVersionExW, CompareStringW, VerSetConditionMask, FreeLibrary, GetProcAddress, EnterCriticalSection, LeaveCriticalSection, GetSystemTime, lstrlenW, GetModuleHandleExW, GetSystemDirectoryW, GetTempPathW, GetWindowsDirectoryW, GetSystemWow64DirectoryW, GetComputerNameW, VerifyVersionInfoW, GetVolumePathNameW, GetDateFormatW, GetSystemDefaultLangID, GetUserDefaultLangID, GetStringTypeW, ExpandEnvironmentStringsW, GetFileAttributesW, ReadFile, SetFilePointerEx, CreateFileW, InterlockedExchange, InterlockedCompareExchange, LoadLibraryW, lstrlenA, RemoveDirectoryW, CreateEventW, OutputDebugStringW, ProcessIdToSessionId, OpenProcess, GetProcessId, WaitForSingleObject, WriteFile, ConnectNamedPipe, SetNamedPipeHandleState, CreateNamedPipeW, CreateThread, GetExitCodeThread, FindClose, SetFileAttributesW, FindFirstFileW, FindNextFileW, GetModuleHandleW, WaitForMultipleObjects, InterlockedIncrement, InterlockedDecrement, DuplicateHandle, CreateProcessW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetExitCodeProcess, SetThreadExecutionState, CopyFileExW, ResetEvent, SetEndOfFile, SetFileTime, LocalFileTimeToFileTime, DosDateTimeToFileTime, CreateFileA, CompareStringA, MapViewOfFile, UnmapViewOfFile, CreateMutexW, CreateFileMappingW, VirtualAlloc, VirtualFree, GetSystemTimeAsFileTime, DeleteFileW, GetThreadLocale, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, CloseHandle, Sleep, ReleaseMutex, DeleteCriticalSection, InitializeCriticalSection, GetLastError, GetTimeZoneInformation, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, HeapFree, RaiseException, HeapAlloc, IsProcessorFeaturePresent, IsDebuggerPresent, TerminateProcess, SystemTimeToTzSpecificLocalTime, SystemTimeToFileTime, MoveFileExW, CopyFileW, RtlUnwind, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, GetCurrentThreadId, GetCurrentProcess, LocalFree, HeapSetInformation, LoadLibraryExW, SetEvent, HeapReAlloc, HeapSize, LCMapStringW, SetStdHandle, WriteConsoleW, FlushFileBuffers, SetFilePointer, GetLocalTime, FormatMessageW, GetTempFileNameW, CreateDirectoryW, GetFullPathNameW, GetModuleHandleA, GlobalAlloc, GetCurrentProcessId, SetUnhandledExceptionFilter, UnhandledExceptionFilter, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetStartupInfoW, InitializeCriticalSectionAndSpinCount, GetFileType, GetProcessHeap, GetModuleFileNameW, GetStdHandle, GetFileSizeEx, MultiByteToWideChar, ExitProcess, DecodePointer, GetCommandLineW, SetLastError, EncodePointer, GlobalFree Cabinet.dll CRYPT32.dll CertGetCertificateContextProperty, CryptHashPublicKeyInfo msi.dll RPCRT4.dll UuidCreate WININET.dll HttpQueryInfoW, InternetOpenW, InternetCloseHandle, InternetConnectW, InternetReadFile, InternetSetOptionW, HttpOpenRequestW, HttpAddRequestHeadersW, HttpSendRequestW, InternetErrorDlg, InternetCrackUrlW WINTRUST.dll WTHelperGetProvSignerFromChain, CryptCATAdminCalcHashFromFileHandle, WTHelperProvDataFromStateData, WinVerifyTrust VERSION.dll GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW

Version Infos

Description Data LegalCopyright Copyright (c) Commvault. All rights reserved. InternalName setup FileVersion 11.80.140.0 CompanyName Commvault ProductName Commvault ContentStore ProductVersion 11.80.140.0 FileDescription Commvault ContentStore OriginalFilename Setup.exe Translation 0x0409 0x04e4

Possible Origin

Language of compilation system Country where language is spoken Map

English United States

No network behavior found

Code Manipulations

Statistics

Behavior

• Setup.exe • Setup.exe

Click to jump to process

System Behavior

Analysis Process: Setup.exe PID: 2612 Parent PID: 4808

General

Start time: 04:52:38 Start date: 25/07/2019 Path: C:\Users\user\Desktop\Setup.exe Wow64 process (32bit): true Commandline: 'C:\Users\user\Desktop\Setup.exe' Imagebase: 0xb50000 File size: 17839920 bytes MD5 hash: 9C58BAC65013AF9DB388BCDD3CCA831E Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

File Activities

File Read

Copyright Joe Security LLC 2019 Page 17 of 74 Source File Path Offset Length Completion Count Address Symbol C:\Users\user\Desktop\Setup.exe unknown 4 success or wait 1 B5753D ReadFile C:\Users\user\Desktop\Setup.exe unknown 4 success or wait 1 B5758F ReadFile C:\Users\user\Desktop\Setup.exe unknown 40 success or wait 1 B5763D ReadFile C:\Users\user\Desktop\Setup.exe unknown 40 success or wait 3 B5769F ReadFile C:\Users\user\Desktop\Setup.exe unknown 512 success or wait 1 B57792 ReadFile C:\Users\user\Desktop\Setup.exe unknown 36 success or wait 1 B7340C ReadFile C:\Users\user\Desktop\Setup.exe unknown 16 success or wait 2 B7340C ReadFile C:\Users\user\Desktop\Setup.exe unknown 256 success or wait 2 B7340C ReadFile C:\Users\user\Desktop\Setup.exe unknown 8 success or wait 1 B7340C ReadFile C:\Users\user\Desktop\Setup.exe unknown 8 success or wait 1 B7340C ReadFile C:\Users\user\Desktop\Setup.exe unknown 8198 success or wait 1 B7340C ReadFile C:\Users\user\Desktop\Setup.exe unknown 8 success or wait 77 B7340C ReadFile C:\Users\user\Desktop\Setup.exe unknown 4810 success or wait 77 B7340C ReadFile \BurnPipe.{5B24ECE1-7AA3-4B09-9F16-D2569B9C6335} unknown 4 success or wait 1 B5EB68 ReadFile \BurnPipe.{5B24ECE1-7AA3-4B09-9F16-D2569B9C6335} unknown 76 success or wait 1 B5EBFC ReadFile \BurnPipe.{5B24ECE1-7AA3-4B09-9F16-D2569B9C6335} unknown 4 success or wait 1 B5EC81 ReadFile \BurnPipe.{5B24ECE1-7AA3-4B09-9F16-D2569B9C6335}.Cache unknown 4 success or wait 1 B5EB68 ReadFile \BurnPipe.{5B24ECE1-7AA3-4B09-9F16-D2569B9C6335}.Cache unknown 76 success or wait 1 B5EBFC ReadFile \BurnPipe.{5B24ECE1-7AA3-4B09-9F16-D2569B9C6335}.Cache unknown 4 success or wait 1 B5EC81 ReadFile \BurnPipe.{5B24ECE1-7AA3-4B09-9F16-D2569B9C6335}.Cache unknown 8 unknown 1 B5EDB0 ReadFile \BurnPipe.{5B24ECE1-7AA3-4B09-9F16-D2569B9C6335} unknown 8 unknown 1 B5EDB0 ReadFile

Analysis Process: Setup.exe PID: 4520 Parent PID: 2612

General

Start time: 04:52:51 Start date: 25/07/2019 Path: C:\Users\user\Desktop\Setup.exe Wow64 process (32bit): true Commandline: 'C:\Users\user\Desktop\Setup.exe' -burn.unelevated BurnPipe.{5B24ECE1-7AA3-4B09-9F16- D2569B9C6335} {31AC7A97-3AA5-40B9-99E2-217A539112EA} 2612 Imagebase: 0xb50000 File size: 17839920 bytes MD5 hash: 9C58BAC65013AF9DB388BCDD3CCA831E Has administrator privileges: true Programmed in: .Net C# or VB.NET Reputation: low

File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B815AD CreateDirectoryW f5953d68e8}\.ba1 directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | object name collision 39 B87864 CreateDirectoryW f5953d68e8}\.ba1\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\mbahost.dll synchronize | non alert | non generic write directory file

Copyright Joe Security LLC 2019 Page 18 of 74 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\1043\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\1043\mbapreq.wxl synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\1060\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\1060\mbapreq.wxl synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\AkmToken.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\BootstrapperCore.config synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\CVUninstaller.exe.config synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\mfc120.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\mfc120u.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\Microsoft.Practices.Prism.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\msvcp120.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\msvcr120.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\WPF Dialogs.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\de\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\de\InstallCommon.resources.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | object name collision 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\de\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\de\System.Windows.Interactivity.resources.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\en\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\en\System.Windows.Interactivity.resources.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\es\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point

Copyright Joe Security LLC 2019 Page 19 of 74 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\es\InstallCommon.resources.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | object name collision 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\es\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\es\System.Windows.Interactivity.resources.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\fr\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\fr\InstallCommon.resources.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | object name collision 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\fr\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\fr\System.Windows.Interactivity.resources.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\fr-CA\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\fr-CA\InstallCommon.resources.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\it\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\it\InstallCommon.resources.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | object name collision 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\it\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\it\System.Windows.Interactivity.resources.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\ja\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\ja\InstallCommon.resources.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | object name collision 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\ja\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\ja\System.Windows.Interactivity.resources.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\ko\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point

Copyright Joe Security LLC 2019 Page 20 of 74 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\ko\InstallCommon.resources.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | object name collision 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\ko\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\ko\System.Windows.Interactivity.resources.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\pt\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\pt\InstallCommon.resources.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\ru\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\ru\InstallCommon.resources.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\zh-Hans\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\zh-Hans\InstallCommon.resources.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | object name collision 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\zh-Hans\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\zh-Hans\System.Windows.Interactivity.resources.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\zh-Hant\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\zh-Hant\InstallCommon.resources.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | object name collision 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\zh-Hant\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\zh-Hant\System.Windows.Interactivity.resources.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\ClusterUtils.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\CVBasicLib.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\CVBasicLibManaged.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\cvcl.dll synchronize | non alert | non generic write directory file

Copyright Joe Security LLC 2019 Page 21 of 74 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\cvcl.dll.sig synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\CVFocus.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\CvManagedLogger.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\CVUninstaller.exe synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\InstallCommon.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\InstallerBA.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\LaunchInstaller.exe synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\mfc140u.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\BootstrapperCore.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\msvcp140.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\UpdateNotificationCenter.exe synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\Guid.xml synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\mbapreq.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\mbapreq.thm synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\mbapreq.png synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\mbapreq.wxl synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\1028\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\1028\mbapreq.wxl synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\1029\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\1029\mbapreq.wxl synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\1030\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\1030\mbapreq.wxl synchronize | non alert | non generic write directory file

Copyright Joe Security LLC 2019 Page 22 of 74 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\1031\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\1031\mbapreq.wxl synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\1032\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\1032\mbapreq.wxl synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\1035\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\1035\mbapreq.wxl synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\1036\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\1036\mbapreq.wxl synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\1038\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\1038\mbapreq.wxl synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\1040\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\1040\mbapreq.wxl synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\1041\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\1041\mbapreq.wxl synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\1042\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\1042\mbapreq.wxl synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\1044\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\1044\mbapreq.wxl synchronize | non alert | non generic write directory file

Copyright Joe Security LLC 2019 Page 23 of 74 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\1045\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\1045\mbapreq.wxl synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\1046\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\1046\mbapreq.wxl synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\1049\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\1049\mbapreq.wxl synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\1051\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\1051\mbapreq.wxl synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\1053\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\1053\mbapreq.wxl synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\1055\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\1055\mbapreq.wxl synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\2052\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\2052\mbapreq.wxl synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\2070\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\2070\mbapreq.wxl synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\3082\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\3082\mbapreq.wxl synchronize | non alert | non generic write directory file

Copyright Joe Security LLC 2019 Page 24 of 74 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\QINetwork.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\QIUtils.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\vcruntime140.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\XmlManagedMsgApp.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\XmlManagedMsgBase.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\XmlManagedMsgInstall.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\WinPackages.xml synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\InstallConfig.xml synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\BootstrapperApplicationData.xml synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\ read data or list normal directory file | object name collision 1 B87864 CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\Commvault_ContentStore_2019 read attributes | normal synchronous io success or wait 1 B81851 CreateFileW 0725045308.log synchronize | non alert | non generic write directory file C:\Users\user read data or list normal directory file | object name collision 1 6CD4A9F6 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming read data or list normal directory file | object name collision 1 6CD4A9F6 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\ProgramData\Commvault Systems read data or list normal directory file | success or wait 1 6BBFBEFF CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\ProgramData\Commvault Systems\Galaxy read data or list normal directory file | success or wait 1 6BBFBEFF CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\ProgramData\Commvault Systems\Galaxy\LogFiles read data or list normal directory file | success or wait 1 6BBFBEFF CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\ProgramData\Commvault Systems\Galaxy\LogFiles\Install.log read attributes | none synchronous io success or wait 1 6BBF1E60 CreateFileW synchronize | non alert | non generic write directory file | open no recall C:\ProgramData\Commvault Systems\Galaxy\LogFiles\2019-07-25 04-53- read data or list normal directory file | success or wait 1 6BBFBEFF CreateDirectoryW 08 directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\ProgramData\Commvault Systems\Galaxy\LogFiles\2019-07-25 04-53- read attributes | none synchronous io success or wait 1 6BBF1E60 CreateFileW 08\Install.log synchronize | non alert | non generic write directory file | open no recall

Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 16931 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 3 B735D4 WriteFile a711-29f5953d68e8}\.ba1\mbahost.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... 4.q.p...p...p....O..i. 00 00 00 00 00 00 00 ...O..|....O...... y...... p... 00 00 00 00 00 00 00 .....N..}....N..q....N..q...p. 00 00 00 00 01 00 00 ..q....N..q...Richp...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 34 e8 71 db 70 89 1f 88 70 89 1f 88 70 89 1f 88 81 4f d0 88 69 89 1f 88 81 4f d2 88 7c 89 1f 88 81 4f d1 88 13 89 1f 88 79 f1 8c 88 7f 89 1f 88 70 89 1e 88 ff 89 1f 88 d2 4e d0 88 7d 89 1f 88 d2 4e d5 88 71 89 1f 88 d2 4e d6 88 71 89 1f 88 70 89 88 88 71 89 1f 88 d2 4e d3 88 71 89 1f 88 52 69 63 68 70 89 1f 88 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 2454 3c 3f 78 6d 6c 20 76 .. .. 22 31 2e 30 22 20 65 .. Copyright 2d 2d 0d 0a 20 20 3c (c) 2004, Outercurve 63 6f 70 79 72 69 67 Foundation... This 68 74 20 66 69 6c 65 software is released under 3d 22 6d 62 61 70 72 Microsoft Reciprocal 65 71 2e 77 78 6c 22 License (MS-RL)... The 20 63 6f 6d 70 61 6e license and 79 3d 22 4f 75 74 65 72 63 75 72 76 65 20 46 6f 75 6e 64 61 74 69 6f 6e 22 3e 0d 0a 20 20 20 20 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32 30 30 34 2c 20 4f 75 74 65 72 63 75 72 76 65 20 46 6f 75 6e 64 61 74 69 6f 6e 2e 0d 0a 20 20 20 20 54 68 69 73 20 73 6f 66 74 77 61 72 65 20 69 73 20 72 65 6c 65 61 73 65 64 20 75 6e 64 65 72 20 4d 69 63 72 6f 73 6f 66 74 20 52 65 63 69 70 72 6f 63 61 6c 20 4c 69 63 65 6e 73 65 20 28 4d 53 2d 52 4c 29 2e 0d 0a 20 20 20 20 54 68 65 20 6c 69 63 65 6e 73 65 20 61 6e 64 20

Copyright Joe Security LLC 2019 Page 26 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 653 3c 3f 78 6d 6c 20 76 .. .. 22 31 2e 30 22 20 65 .. Copyright 2d 2d 0d 0a 20 20 3c (c) 2004, Outercurve 63 6f 70 79 72 69 67 Foundation... This 68 74 20 66 69 6c 65 software is released under 3d 22 6d 62 61 70 72 Microsoft Reciprocal 65 71 2e 77 78 6c 22 License (MS-RL)... The 20 63 6f 6d 70 61 6e license and 79 3d 22 4f 75 74 65 72 63 75 72 76 65 20 46 6f 75 6e 64 61 74 69 6f 6e 22 3e 0d 0a 20 20 20 20 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32 30 30 34 2c 20 4f 75 74 65 72 63 75 72 76 65 20 46 6f 75 6e 64 61 74 69 6f 6e 2e 0d 0a 20 20 20 20 54 68 69 73 20 73 6f 66 74 77 61 72 65 20 69 73 20 72 65 6c 65 61 73 65 64 20 75 6e 64 65 72 20 4d 69 63 72 6f 73 6f 66 74 20 52 65 63 69 70 72 6f 63 61 6c 20 4c 69 63 65 6e 73 65 20 28 4d 53 2d 52 4c 29 2e 0d 0a 20 20 20 20 54 68 65 20 6c 69 63 65 6e 73 65 20 61 6e 64 20 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 31079 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 4 B735D4 WriteFile a711-29f5953d68e8}\.ba1\AkmToken.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... 3F..R(..R(..R(...... R 00 00 00 00 00 00 00 (...... R(...... R(.h6+..R(.h6-. 00 00 00 00 00 00 00 .R(.h6,..R(.g....R(..R)..R(.Q 00 00 00 10 01 00 00 6- 0e 1f ba 0e 00 b4 09 ..R(.Q6(..R(.Q6...R(..R...R( cd 21 b8 01 4c cd 21 .Q6*..R(.Rich.R( 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 fe 33 46 8e ba 52 28 dd ba 52 28 dd ba 52 28 dd 0e ce d9 dd b3 52 28 dd 0e ce db dd c2 52 28 dd 0e ce da dd a2 52 28 dd 68 36 2b dc ab 52 28 dd 68 36 2d dc a1 52 28 dd 68 36 2c dc b5 52 28 dd 67 ad e3 dd bd 52 28 dd ba 52 29 dd e1 52 28 dd 51 36 2d dc be 52 28 dd 51 36 28 dc bb 52 28 dd 51 36 d7 dd bb 52 28 dd ba 52 bf dd bb 52 28 dd 51 36 2a dc bb 52 28 dd 52 69 63 68 ba 52 28

Copyright Joe Security LLC 2019 Page 27 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 753 ef bb bf 3c 3f 78 6d 6c ..... 6e 3d 22 31 2e 30 22 .. 20 65 6e 63 6f 64 69 .. wix.bootstrapper" 0a 3c 63 6f 6e 66 69 type="Microsoft.Tools.Win 67 75 72 61 74 69 6f do 6e 3e 0d 0a 20 20 3c wsInstallerXml.Bootstrapp 63 6f 6e 66 69 67 53 er.Bo 65 63 74 69 6f 6e 73 otstrapperSectionGroup, 3e 0d 0a 20 20 20 20 BootstrapperCore">.. 3c 73 65 63 74 69 6f

.. 22 31 2e 30 22 20 65 .. .. 22 3f 3e 0d 0a 3c 63 \.. .. 72 74 75 70 20 75 73 .. 65 4c 65 67 61 63 79 56 32 52 75 6e 74 69 6d 65 41 63 74 69 76 61 74 69 6f 6e 50 6f 6c 69 63 79 3d 22 74 72 75 65 22 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 34 2e 30 22 20 73 6b 75 3d 22 2e 4e 45 54 46 72 61 6d 65 77 6f 72 6b 2c 56 65 72 73 69 6f 6e 3d 76 34 2e 30 22 2f 3e 5c 0d 0a 20 20 3c 2f 73 74 61 72 74 75 70 3e 0d 0a 3c 2f 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 3e 0d 0a

Copyright Joe Security LLC 2019 Page 28 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 22524 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 136 B735D4 WriteFile a711-29f5953d68e8}\.ba1\mfc120.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... }A... 00 00 00 00 00 00 00 ...}^...... }_...... }@...... S. 00 00 00 00 00 00 00 ...... Q...... n...... o...... } 00 00 00 18 01 00 00 E...... k.K.....R..... 0e 1f ba 0e 00 b4 09 ..U...... P.... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 96 e3 e0 e9 d2 82 8e ba d2 82 8e ba d2 82 8e ba 0f 7d 41 ba d3 82 8e ba 0f 7d 5e ba d3 82 8e ba 0f 7d 5f ba d0 82 8e ba 0f 7d 40 ba c7 82 8e ba 94 d3 53 ba d0 82 8e ba 94 d3 51 ba d8 82 8e ba 94 d3 6e ba df 82 8e ba 94 d3 6f ba de 82 8e ba 0f 7d 45 ba c1 82 8e ba d2 82 8f ba d1 86 8e ba 94 d3 6b ba 4b 83 8e ba 94 d3 52 ba d3 82 8e ba 94 d3 55 ba d3 82 8e ba 94 d3 50 ba d3 82 8e C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 21860 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 137 B735D4 WriteFile a711-29f5953d68e8}\.ba1\mfc120u.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... }I... 00 00 00 00 00 00 00 ...}V...... }W...... }H...... [. 00 00 00 00 00 00 00 ...... Y...... f...... g...... } 00 00 00 10 01 00 00 M...... $.....c.O.....Z..... 0e 1f ba 0e 00 b4 09 ..]...... X.... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 92 e3 e8 e9 d6 82 86 ba d6 82 86 ba d6 82 86 ba 0b 7d 49 ba d7 82 86 ba 0b 7d 56 ba d7 82 86 ba 0b 7d 57 ba d4 82 86 ba 0b 7d 48 ba c3 82 86 ba 90 d3 5b ba d4 82 86 ba 90 d3 59 ba dc 82 86 ba 90 d3 66 ba db 82 86 ba 90 d3 67 ba da 82 86 ba 0b 7d 4d ba c5 82 86 ba d6 82 87 ba 24 81 86 ba 90 d3 63 ba 4f 83 86 ba 90 d3 5a ba d7 82 86 ba 90 d3 5d ba d7 82 86 ba 90 d3 58 ba d7 82 86

Copyright Joe Security LLC 2019 Page 29 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 28356 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 5 B735D4 WriteFile a711-29f5953d68e8}\.ba1\Microsoft.Practices.Prism.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L...=.:O...... 00 00 00 00 00 00 00 .!.....2...... O...... `....@.. 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 ...... l....@...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 3d 99 3a 4f 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 32 02 00 00 08 00 00 00 00 00 00 fe 4f 02 00 00 20 00 00 00 60 02 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 02 00 00 02 00 00 90 6c 02 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 6012 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 15 B735D4 WriteFile a711-29f5953d68e8}\.ba1\msvcp120.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... o...+..N+..N+..N.3wN 00 00 00 00 00 00 00 ). 00 00 00 00 00 00 00 .N+..N...Nm.aN(..Nm.cN#.. 00 00 00 00 01 00 00 Nm.]N...Nm.\Ne..Nm.YN- 0e 1f ba 0e 00 b4 09 ..Nm.`N*..Nm. cd 21 b8 01 4c cd 21 gN*..Nm.bN*..NRich+..N.... 54 68 69 73 20 70 72 ...... 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6f ad d2 1d 2b cc bc 4e 2b cc bc 4e 2b cc bc 4e f6 33 77 4e 29 cc bc 4e 2b cc bd 4e f0 cc bc 4e 6d 9d 61 4e 28 cc bc 4e 6d 9d 63 4e 23 cc bc 4e 6d 9d 5d 4e 18 cc bc 4e 6d 9d 5c 4e 65 cc bc 4e 6d 9d 59 4e 2d cc bc 4e 6d 9d 60 4e 2a cc bc 4e 6d 9d 67 4e 2a cc bc 4e 6d 9d 62 4e 2a cc bc 4e 52 69 63 68 2b cc bc 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Copyright Joe Security LLC 2019 Page 30 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 9436 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 31 B735D4 WriteFile a711-29f5953d68e8}\.ba1\msvcr120.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... S9...XlA.XlA.XlA...A. 00 00 00 00 00 00 00 X 00 00 00 00 00 00 00 lA.XmA.XlAQ..A.ZlAQ..Av 00 00 00 e8 00 00 00 XlAQ..A 0e 1f ba 0e 00 b4 09 !XlAQ..A.XlAQ..A.XlAQ..A. cd 21 b8 01 4c cd 21 XlAQ. 54 68 69 73 20 70 72 .A.XlARich.XlA...... PE..L.. 6f 67 72 61 6d 20 63 ..|OR...... " 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 53 39 02 12 17 58 6c 41 17 58 6c 41 17 58 6c 41 ca a7 a7 41 14 58 6c 41 17 58 6d 41 a7 58 6c 41 51 09 8c 41 b9 5a 6c 41 51 09 b3 41 76 58 6c 41 51 09 89 41 21 58 6c 41 51 09 8d 41 af 58 6c 41 51 09 b0 41 16 58 6c 41 51 09 b7 41 16 58 6c 41 51 09 b2 41 16 58 6c 41 52 69 63 68 17 58 6c 41 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 e6 7c 4f 52 00 00 00 00 00 00 00 00 e0 00 22 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 21564 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 2 B735D4 WriteFile a711-29f5953d68e8}\.ba1\WPF Dialogs.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L.....pM...... 00 00 00 00 00 00 00 .!...... @.. 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 ...... @...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 17 d1 70 4d 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 a0 00 00 00 06 00 00 00 00 00 00 be bf 00 00 00 20 00 00 00 c0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 01 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00

Copyright Joe Security LLC 2019 Page 31 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 3584 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 B735D4 WriteFile a711-29f5953d68e8}\.ba1\de\InstallCommon.resources.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L....k.U...... 00 00 00 00 00 00 00 .!...... $...... @...... 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 ...... @...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ec 6b a8 55 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 06 00 00 00 06 00 00 00 00 00 00 ae 24 00 00 00 20 00 00 00 40 00 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 6656 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 B735D4 WriteFile a711-29f5953d68e8}\.ba1\de\System.Win 00 04 00 00 00 ff ff 00 ...... dows.Interactivity.resources.dll 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L....u.K...... 00 00 00 00 00 00 00 .!...... >/...... @....@.. 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 ...... I....@...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 a2 75 fc 4b 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 10 00 00 00 08 00 00 00 00 00 00 3e 2f 00 00 00 20 00 00 00 40 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 b1 49 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00

Copyright Joe Security LLC 2019 Page 32 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 1084 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 2 B735D4 WriteFile a711-29f5953d68e8}\.ba1\en\System.Win 00 04 00 00 00 ff ff 00 ...... dows.Interactivity.resources.dll 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L...eu.K...... 00 00 00 00 00 00 00 .!...... /...... @....!;. 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 <.....@...... 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 65 75 fc 4b 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 10 00 00 00 08 00 00 00 00 00 00 ee 2f 00 00 00 20 00 00 00 40 00 00 00 00 21 3b 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 3c 0e 01 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 3584 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 B735D4 WriteFile a711-29f5953d68e8}\.ba1\es\InstallCommon.resources.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L....k.U...... 00 00 00 00 00 00 00 .!...... $...... @...... 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 ...... @...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ec 6b a8 55 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 06 00 00 00 06 00 00 00 00 00 00 ae 24 00 00 00 20 00 00 00 40 00 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00

Copyright Joe Security LLC 2019 Page 33 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 6656 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 B735D4 WriteFile a711-29f5953d68e8}\.ba1\es\System.Win 00 04 00 00 00 ff ff 00 ...... dows.Interactivity.resources.dll 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L...Ov.K...... 00 00 00 00 00 00 00 .!...... @....@.. 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 ...... @...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 4f 76 fc 4b 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 10 00 00 00 08 00 00 00 00 00 00 9e 2e 00 00 00 20 00 00 00 40 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 1f d4 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 3584 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 B735D4 WriteFile a711-29f5953d68e8}\.ba1\fr\InstallCommon.resources.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L....k.U...... 00 00 00 00 00 00 00 .!...... $...... @...... 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 ...... @...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ed 6b a8 55 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 06 00 00 00 06 00 00 00 00 00 00 ae 24 00 00 00 20 00 00 00 40 00 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00

Copyright Joe Security LLC 2019 Page 34 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 6656 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 B735D4 WriteFile a711-29f5953d68e8}\.ba1\fr\System.Win 00 04 00 00 00 ff ff 00 ...... dows.Interactivity.resources.dll 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L....u.K...... 00 00 00 00 00 00 00 .!...... @....@.. 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 ...... @...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 dc 75 fc 4b 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 10 00 00 00 08 00 00 00 00 00 00 be 2e 00 00 00 20 00 00 00 40 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 95 f0 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 3584 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 B735D4 WriteFile a711-29f5953d68e8}\.ba1\fr-CA\InstallCommon.resources.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L....k.U...... 00 00 00 00 00 00 00 .!...... $...... @...... 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 ...... @...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ed 6b a8 55 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 06 00 00 00 06 00 00 00 00 00 00 be 24 00 00 00 20 00 00 00 40 00 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00

Copyright Joe Security LLC 2019 Page 35 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 3132 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 2 B735D4 WriteFile a711-29f5953d68e8}\.ba1\it\InstallCommon.resources.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L....k.U...... 00 00 00 00 00 00 00 .!...... $...... @...... 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 ...... @...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ed 6b a8 55 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 06 00 00 00 06 00 00 00 00 00 00 ae 24 00 00 00 20 00 00 00 40 00 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 6656 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 B735D4 WriteFile a711-29f5953d68e8}\.ba1\it\System.Win 00 04 00 00 00 ff ff 00 ...... dows.Interactivity.resources.dll 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L....v.K...... 00 00 00 00 00 00 00 .!...... @....@.. 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 ...... @...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 15 76 fc 4b 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 10 00 00 00 08 00 00 00 00 00 00 9e 2e 00 00 00 20 00 00 00 40 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 08 cd 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00

Copyright Joe Security LLC 2019 Page 36 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 3584 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 B735D4 WriteFile a711-29f5953d68e8}\.ba1\ja\InstallCommon.resources.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L....k.U...... 00 00 00 00 00 00 00 .!...... $...... @...... 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 ...... @...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ed 6b a8 55 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 06 00 00 00 06 00 00 00 00 00 00 ae 24 00 00 00 20 00 00 00 40 00 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 7168 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 B735D4 WriteFile a711-29f5953d68e8}\.ba1\ja\System.Win 00 04 00 00 00 ff ff 00 ...... dows.Interactivity.resources.dll 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L....v.K...... 00 00 00 00 00 00 00 .!...... 0...... @....@.. 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 ...... @...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 c4 76 fc 4b 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 12 00 00 00 08 00 00 00 00 00 00 1e 30 00 00 00 20 00 00 00 40 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 b3 c1 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00

Copyright Joe Security LLC 2019 Page 37 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 3584 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 B735D4 WriteFile a711-29f5953d68e8}\.ba1\ko\InstallCommon.resources.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L....k.U...... 00 00 00 00 00 00 00 .!...... $...... @...... 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 ...... @...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ed 6b a8 55 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 06 00 00 00 06 00 00 00 00 00 00 ae 24 00 00 00 20 00 00 00 40 00 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 6656 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 B735D4 WriteFile a711-29f5953d68e8}\.ba1\ko\System.Win 00 04 00 00 00 ff ff 00 ...... dows.Interactivity.resources.dll 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L....v.K...... 00 00 00 00 00 00 00 .!...... ~/...... @....@.. 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 ...... @...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 89 76 fc 4b 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 10 00 00 00 08 00 00 00 00 00 00 7e 2f 00 00 00 20 00 00 00 40 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 b4 e2 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00

Copyright Joe Security LLC 2019 Page 38 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 3584 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 B735D4 WriteFile a711-29f5953d68e8}\.ba1\pt\InstallCommon.resources.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L....k.U...... 00 00 00 00 00 00 00 .!...... $...... @...... 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 ...... @...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ed 6b a8 55 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 06 00 00 00 06 00 00 00 00 00 00 ae 24 00 00 00 20 00 00 00 40 00 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 1084 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 2 B735D4 WriteFile a711-29f5953d68e8}\.ba1\ru\InstallCommon.resources.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L....k.U...... 00 00 00 00 00 00 00 .!...... $...... @...... 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 ...... @...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ec 6b a8 55 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 06 00 00 00 06 00 00 00 00 00 00 ae 24 00 00 00 20 00 00 00 40 00 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00

Copyright Joe Security LLC 2019 Page 39 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 3584 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 B735D4 WriteFile a711-29f5953d68e8}\.ba1\zh-Hans\InstallCommon.resources.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L....k.U...... 00 00 00 00 00 00 00 .!...... %...... @...... 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 ...... @...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ed 6b a8 55 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 06 00 00 00 06 00 00 00 00 00 00 1e 25 00 00 00 20 00 00 00 40 00 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 6656 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 B735D4 WriteFile a711-29f5953d68e8}\.ba1\zh-Hans\Syste 00 04 00 00 00 ff ff 00 ...... m.Windows.Interactivity.resources.dll 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L...7w.K...... 00 00 00 00 00 00 00 .!...... N...... @....@.. 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 ...... /....@...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 37 77 fc 4b 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 10 00 00 00 08 00 00 00 00 00 00 4e 2e 00 00 00 20 00 00 00 40 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 f8 2f 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00

Copyright Joe Security LLC 2019 Page 40 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 3584 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 B735D4 WriteFile a711-29f5953d68e8}\.ba1\zh-Hant\InstallCommon.resources.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L....k.U...... 00 00 00 00 00 00 00 .!...... $...... @...... 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 ...... @...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ed 6b a8 55 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 06 00 00 00 06 00 00 00 00 00 00 be 24 00 00 00 20 00 00 00 40 00 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 6656 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 B735D4 WriteFile a711-29f5953d68e8}\.ba1\zh-Hant\Syste 00 04 00 00 00 ff ff 00 ...... m.Windows.Interactivity.resources.dll 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L....v.K...... 00 00 00 00 00 00 00 .!...... @....@.. 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 ...... c.....@...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 fe 76 fc 4b 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 10 00 00 00 08 00 00 00 00 00 00 2e 2e 00 00 00 20 00 00 00 40 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 63 ab 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00

Copyright Joe Security LLC 2019 Page 41 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 9788 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 7 B735D4 WriteFile a711-29f5953d68e8}\.ba1\ClusterUtils.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... |..V...V...V..._e}.Z. 00 00 00 00 00 00 00 ....).T....y..T....y..]....y.. 00 00 00 00 00 00 00 R....y..A....y..R...t}..]...V. 00 00 00 20 01 00 00 ...... y..U....y..W....y..W... 0e 1f ba 0e 00 b4 09 V.y.W....y..W.. cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 12 7c 80 de 56 1d ee 8d 56 1d ee 8d 56 1d ee 8d 5f 65 7d 8d 5a 1d ee 8d c8 bd 29 8d 54 1d ee 8d 84 79 ed 8c 54 1d ee 8d 84 79 ea 8c 5d 1d ee 8d 84 79 ef 8c 52 1d ee 8d 84 79 eb 8c 41 1d ee 8d bd 79 ef 8c 52 1d ee 8d 74 7d ef 8c 5d 1d ee 8d 56 1d ef 8d f0 1d ee 8d bd 79 eb 8c 55 1d ee 8d bd 79 ee 8c 57 1d ee 8d bd 79 11 8d 57 1d ee 8d 56 1d 79 8d 57 1d ee 8d bd 79 ec 8c 57 1d ee C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 4252 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 63 B735D4 WriteFile a711-29f5953d68e8}\.ba1\CVBasicLib.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 (...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... `... 00 00 00 00 00 00 00 ..^q4...... 00 00 00 00 00 00 00 ...... +...... 00 00 00 28 01 00 00 ..A...... +...... +...... 0e 1f ba 0e 00 b4 09 +...... d.... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 84 b0 9d ec c0 d1 f3 bf c0 d1 f3 bf c0 d1 f3 bf c9 a9 60 bf d6 d1 f3 bf 5e 71 34 bf c6 d1 f3 bf 12 b5 f0 be ce d1 f3 bf 12 b5 f7 be cb d1 f3 bf 12 b5 f2 be c4 d1 f3 bf e2 b1 f5 be c2 d1 f3 bf e2 b1 f2 be d2 d1 f3 bf 2b b5 f2 be c7 d1 f3 bf c0 d1 f2 bf 41 d3 f3 bf 12 b5 f6 be e5 d1 f3 bf 2b b5 f6 be 91 d1 f3 bf 2b b5 f3 be c1 d1 f3 bf 2b b5 0c bf c1 d1 f3 bf c0 d1 64 bf c1 d1 f3

Copyright Joe Security LLC 2019 Page 42 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 24828 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 2 B735D4 WriteFile a711-29f5953d68e8}\.ba1\CVBasicLibManaged.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... S0F.2^..2^..2^..J...2 00 00 00 00 00 00 00 ^.;....2^.4V_..2^..`...2^.4V]. 00 00 00 00 00 00 00 .2^.4V[..2^.4VZ..2^..V_..2^. 00 00 00 10 01 00 00 .2 0e 1f ba 0e 00 b4 09 _..2^..V[..2^..V...2^..2...2^. cd 21 b8 01 4c cd 21 .V\..2^.Rich.2^ 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 53 30 46 e6 32 5e 15 e6 32 5e 15 e6 32 5e 15 ef 4a cd 15 e2 32 5e 15 3b cd 95 15 e5 32 5e 15 34 56 5f 14 e2 32 5e 15 f8 60 cd 15 e4 32 5e 15 34 56 5d 14 e7 32 5e 15 34 56 5b 14 f0 32 5e 15 34 56 5a 14 ed 32 5e 15 0d 56 5f 14 e4 32 5e 15 e6 32 5f 15 a4 32 5e 15 0d 56 5b 14 e5 32 5e 15 0d 56 a1 15 e7 32 5e 15 e6 32 c9 15 e7 32 5e 15 0d 56 5c 14 e7 32 5e 15 52 69 63 68 e6 32 5e C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 3420 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 40 B735D4 WriteFile a711-29f5953d68e8}\.ba1\cvcl.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... AkT./8T./8T./8]..8F. 00 00 00 00 00 00 00 /8...9V./8..,9\./8..*9_./8..+9 00 00 00 00 00 00 00 _./8v..9]./8T..8#./8..,9@./8. 00 00 00 10 01 00 00 . 0e 1f ba 0e 00 b4 09 +9../8..+9A./8../9U./8...8U./ cd 21 b8 01 4c cd 21 8T..8U./8..-9U./ 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 10 f6 41 6b 54 97 2f 38 54 97 2f 38 54 97 2f 38 5d ef bc 38 46 97 2f 38 86 f3 2e 39 56 97 2f 38 86 f3 2c 39 5c 97 2f 38 86 f3 2a 39 5f 97 2f 38 86 f3 2b 39 5f 97 2f 38 76 f7 2e 39 5d 97 2f 38 54 97 2e 38 23 97 2f 38 9f f4 2c 39 40 97 2f 38 9f f4 2b 39 cd 96 2f 38 bf f3 2b 39 41 97 2f 38 bf f3 2f 39 55 97 2f 38 bf f3 d0 38 55 97 2f 38 54 97 b8 38 55 97 2f 38 bf f3 2d 39 55 97 2f

Copyright Joe Security LLC 2019 Page 43 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 360 23 20 53 48 41 2d 31 # SHA-1 RSA EMSA- success or wait 1 B735D4 WriteFile a711-29f5953d68e8}\.ba1\cvcl.dll.sig 20 52 53 41 20 45 4d PKCS1-v1_5 Signature..# 53 41 2d 50 4b 43 53 http://www.apps.iet 31 2d 76 31 5f 35 20 f.org/rfc/rfc3447.html#sec- 53 69 67 6e 61 74 75 9.2 72 65 0d 0a 23 20 68 ....64a931cf3969cc4f0d8c4 74 74 70 3a 2f 2f 77 16ebc 77 77 2e 61 70 70 73 8576f733dca838425c75f7d 2e 69 65 74 66 2e 6f 7c7379d 72 67 2f 72 66 63 2f 5e55..7723b26ace79a210c 72 66 63 33 34 34 37 1733fe9 2e 68 74 6d 6c 23 73 9d85ecac6a5ca63a54476f 65 63 2d 39 2e 32 0d de99a814 0a 0d 0a 36 34 61 39 7e1aa6..c3e63c84f9090db 33 31 63 66 33 39 36 9cae0b8ec7e64d4ef913ca 39 63 63 34 66 30 64 38 63 34 31 36 65 62 63 38 35 37 36 66 37 33 33 64 63 61 38 33 38 34 32 35 63 37 35 66 37 64 37 63 37 33 37 39 64 35 65 35 35 0d 0a 37 37 32 33 62 32 36 61 63 65 37 39 61 32 31 30 63 31 37 33 33 66 65 39 39 64 38 35 65 63 61 63 36 61 35 63 61 36 33 61 35 34 34 37 36 66 64 65 39 39 61 38 31 34 37 65 31 61 61 36 0d 0a 63 33 65 36 33 63 38 34 66 39 30 39 30 64 62 39 63 61 65 30 62 38 65 63 37 65 36 34 64 34 65 66 39 31 33 63 61 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 22100 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 2 B735D4 WriteFile a711-29f5953d68e8}\.ba1\CVFocus.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... ;...... v...w. 00 00 00 00 00 00 00 ...?..}.....|.~.....z.p.....{. 00 00 00 00 00 00 00 t.....~.{...].~.x.....~.I..... 00 00 00 18 01 00 00 z.~...... ~...... ~...... ~... 0e 1f ba 0e 00 b4 09 ..}.~...Rich... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 3b fe 11 c3 7f 9f 7f 90 7f 9f 7f 90 7f 9f 7f 90 76 e7 ec 90 77 9f 7f 90 e1 3f b8 90 7d 9f 7f 90 ad fb 7c 91 7e 9f 7f 90 ad fb 7a 91 70 9f 7f 90 ad fb 7b 91 74 9f 7f 90 ad fb 7e 91 7b 9f 7f 90 5d ff 7e 91 78 9f 7f 90 7f 9f 7e 90 49 9f 7f 90 94 fb 7a 91 7e 9f 7f 90 94 fb 7f 91 7e 9f 7f 90 94 fb 80 90 7e 9f 7f 90 7f 9f e8 90 7e 9f 7f 90 94 fb 7d 91 7e 9f 7f 90 52 69 63 68 7f 9f 7f

Copyright Joe Security LLC 2019 Page 44 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 28340 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 3 B735D4 WriteFile a711-29f5953d68e8}\.ba1\CvManagedLogger.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode....$...... PE..L...... 00 00 00 00 00 00 00 [...... !..0...... 00 00 00 00 00 00 00 ...... ` 00 00 00 00 00 00 00 ...... Uj....@...... 00 00 00 80 00 00 00 ...... 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 91 fa b1 5b 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 30 00 00 f2 00 00 00 06 00 00 00 00 00 00 da 10 01 00 00 20 00 00 00 20 01 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 01 00 00 02 00 00 55 6a 01 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 23316 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 5 B735D4 WriteFile a711-29f5953d68e8}\.ba1\CVUninstaller.exe 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode....$...... PE..L...}.. 00 00 00 00 00 00 00 [...... 0...... ^...... 00 00 00 00 00 00 00 ..@...... 00 00 00 00 00 00 00 ...... @...... 00 00 00 80 00 00 00 ...... 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 7d d6 e5 5b 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 96 01 00 00 8c 00 00 00 00 00 00 5e b5 01 00 00 20 00 00 00 c0 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 02 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00

Copyright Joe Security LLC 2019 Page 45 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 14100 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 118 B735D4 WriteFile a711-29f5953d68e8}\.ba1\InstallCommon.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L...... \...... 00 00 00 00 00 00 00 .!..0..@:...... z^:.. ...`:...... 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 :...... @...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 05 ad 93 5c 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 30 00 00 40 3a 00 00 06 00 00 00 00 00 00 7a 5e 3a 00 00 20 00 00 00 60 3a 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 3a 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 28436 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 21 B735D4 WriteFile a711-29f5953d68e8}\.ba1\InstallerBA.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L...... \...... 00 00 00 00 00 00 00 .!..0...... 7...... @...... 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 ...... @...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 13 ad 93 5c 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 30 00 00 18 0a 00 00 06 00 00 00 00 00 00 06 37 0a 00 00 20 00 00 00 40 0a 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 0a 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00

Copyright Joe Security LLC 2019 Page 46 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 20244 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 7 B735D4 WriteFile a711-29f5953d68e8}\.ba1\LaunchInstaller.exe 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... V...V...V@0SV.. 00 00 00 00 00 00 00 [email protected]@0PV...V&..W 00 00 00 00 00 00 00 ...V&..W 00 00 00 10 01 00 00 ...V&..W...V)SlV...V)SiV...V 0e 1f ba 0e 00 b4 09 .. cd 21 b8 01 4c cd 21 .V|..V...W...V..]V...V..5V...V 54 68 69 73 20 70 72 ...W...VRich... 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b0 cd cc 05 f4 ac a2 56 f4 ac a2 56 f4 ac a2 56 40 30 53 56 fd ac a2 56 40 30 51 56 8e ac a2 56 40 30 50 56 ec ac a2 56 26 c8 a1 57 e7 ac a2 56 26 c8 a6 57 e6 ac a2 56 26 c8 a7 57 d2 ac a2 56 29 53 6c 56 f5 ac a2 56 29 53 69 56 ff ac a2 56 f4 ac a3 56 7c ac a2 56 1f c8 a7 57 f6 ac a2 56 1f c8 5d 56 f5 ac a2 56 f4 ac 35 56 f5 ac a2 56 1f c8 a0 57 f5 ac a2 56 52 69 63 68 f4 ac a2 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 23924 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 157 B735D4 WriteFile a711-29f5953d68e8}\.ba1\mfc140u.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode....$...... 00 00 00 00 00 00 00 {...?...?...?....I-.>....I+.>....I*. 00 00 00 00 00 00 00 (...6.M.+...u... 00 00 00 00 00 00 00 =...u...5...u...2...u...*....I 00 00 00 10 01 00 00 1.,...?...... u...... u...>... 0e 1f ba 0e 00 b4 09 u.!.>...u...>.. cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 7b b4 b0 92 3f d5 de c1 3f d5 de c1 3f d5 de c1 8b 49 2d c1 3e d5 de c1 8b 49 2b c1 3e d5 de c1 8b 49 2a c1 28 d5 de c1 36 ad 4d c1 2b d5 de c1 75 b0 df c0 3d d5 de c1 75 b0 dd c0 35 d5 de c1 75 b0 da c0 32 d5 de c1 75 b0 db c0 2a d5 de c1 8b 49 31 c1 2c d5 de c1 3f d5 df c1 cd d6 de c1 75 b0 d7 c0 a5 d4 de c1 75 b0 de c0 3e d5 de c1 75 b0 21 c1 3e d5 de c1 75 b0 dc c0 3e d5 de

Copyright Joe Security LLC 2019 Page 47 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 13028 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 3 B735D4 WriteFile a711-29f5953d68e8}\.ba1\BootstrapperCore.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L....O.R...... 00 00 00 00 00 00 00 .!...... 00 00 00 00 00 00 00 ...... ` 00 00 00 80 00 00 00 ...... b'....@...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 c7 4f 97 52 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 00 01 00 00 20 00 00 00 00 00 00 fe 1a 01 00 00 20 00 00 00 20 01 00 00 00 00 10 00 20 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 01 00 00 10 00 00 62 27 02 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 740 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 15 B735D4 WriteFile a711-29f5953d68e8}\.ba1\msvcp140.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... V...... "P... 00 00 00 00 00 00 00 ....,...... X...... X... 00 00 00 00 00 00 00 ....X...... X...... X...e...X. 00 00 00 f8 00 00 00 ...... [email protected]...... Rich.... 0e 1f ba 0e 00 b4 09 ...... PE..L.. cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 56 df d1 b4 12 be bf e7 12 be bf e7 12 be bf e7 a6 22 50 e7 10 be bf e7 1b c6 2c e7 0a be bf e7 12 be be e7 d3 be bf e7 58 db be e6 11 be bf e7 58 db bc e6 1b be bf e7 58 db bb e6 1e be bf e7 58 db ba e6 04 be bf e7 58 db b7 e6 65 be bf e7 58 db bf e6 13 be bf e7 58 db 40 e7 13 be bf e7 58 db bd e6 13 be bf e7 52 69 63 68 12 be bf e7 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06

Copyright Joe Security LLC 2019 Page 48 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 1980 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 10 B735D4 WriteFile a711-29f5953d68e8}\.ba1\UpdateNotificationCenter.exe 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... s.#j..pj..pj..pcjOp~. 00 00 00 00 00 00 00 .p...ph..p...pk..p.v.q`..p.v.q 00 00 00 00 00 00 00 d..p.v.qI..p.v.ql..p...p...pj. 00 00 00 10 01 00 00 .pA..p.v.qR..p.v#pk..pj.Kpk 0e 1f ba 0e 00 b4 09 ..p.v.qk..pRichj.. cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 2e 73 b2 23 6a 12 dc 70 6a 12 dc 70 6a 12 dc 70 63 6a 4f 70 7e 12 dc 70 b7 ed 12 70 68 12 dc 70 b7 ed 0c 70 6b 12 dc 70 b8 76 df 71 60 12 dc 70 b8 76 d8 71 64 12 dc 70 b8 76 d9 71 49 12 dc 70 b8 76 dd 71 6c 12 dc 70 b7 ed 17 70 7f 12 dc 70 6a 12 dd 70 41 10 dc 70 81 76 d9 71 52 12 dc 70 81 76 23 70 6b 12 dc 70 6a 12 4b 70 6b 12 dc 70 81 76 de 71 6b 12 dc 70 52 69 63 68 6a 12 dc C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 16924 3c 3f 78 6d 6c 20 76 .. 22 31 2e 30 22 20 65 ...... 09 3c 50 72 6f 64 75 ... 34 38 32 44 2d 42 37 .. 22 31 2e 30 22 20 65 .. #(loc.Caption) 74 70 3a 2f 2f 77 69 ..

Copyright Joe Security LLC 2019 Page 50 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 797 89 50 4e 47 0d 0a 1a .PNG...... IHDR...?...?..... success or wait 1 B735D4 WriteFile a711-29f5953d68e8}\.ba1\mbapreq.png 0a 00 00 00 0d 49 48 W 44 52 00 00 00 3f 00 _...... sRGB...... gAMA...... 00 00 3f 08 06 00 00 a.....pHYs...... +...... IDA 00 57 5f 10 df 00 00 ThC../W.0....P(...Db+q8$... 00 01 73 52 47 42 00 ...... J.....-..8.e]._..;...... ae ce 1c e9 00 00 00 ...Y... .Y....z\...... {W|... 04 67 41 4d 41 00 00 .../q...<%.....C5...0....OrU.. b1 8f 0b fc 61 05 00 ..,..^...... ).....2...... 00 00 09 70 48 59 73 .i.Ge..T9T..}.7 00 00 0e c4 00 00 0e c4 01 95 2b 0e 1b 00 00 02 b2 49 44 41 54 68 43 ed 9b 2f 57 c4 30 0c c0 f7 ed 50 28 14 0e 87 44 62 2b 71 38 24 0a 87 c1 e0 ef 9b 8d cb de cb c8 4a d2 a4 dd b2 b1 2d f7 de 38 b8 65 5d 93 5f fe b5 3b ba fe c4 af ee c4 ba f7 a1 fc 59 e9 07 f9 20 cf 59 a0 eb fa ee 7a 5c 7f ec f6 bd 04 b6 e8 f6 7b 57 7c 98 7f e1 a5 9c dd 2f 71 04 d7 ac 3c 25 0f bf ef e9 18 43 35 c8 f3 16 30 c7 fc 9e a8 4f 72 55 90 0f f2 7f 2c 10 d9 5e 0a 8b c8 f6 d1 e1 cd ab f1 29 a5 1e 8e cb e5 32 1c d2 0b ce a1 ec dc ea b2 69 9d 47 65 a9 a2 54 39 54 f2 2e 7d f6 37 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 1795 3c 3f 78 6d 6c 20 76 .. 22 31 2e 30 22 20 65 .. 65 3d 22 65 6e 2d 75 [WixBundleName] 73 22 20 4c 61 6e 67 Setup.. Microsoft .NET 30 33 33 22 20 78 6d Framework requ 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 77 69 78 2f 32 30 30 36 2f 6c 6f 63 61 6c 69 7a 61 74 69 6f 6e 22 3e 0d 0a 20 20 3c 53 74 72 69 6e 67 20 49 64 3d 22 43 61 70 74 69 6f 6e 22 3e 5b 57 69 78 42 75 6e 64 6c 65 4e 61 6d 65 5d 20 53 65 74 75 70 3c 2f 53 74 72 69 6e 67 3e 0d 0a 20 20 3c 53 74 72 69 6e 67 20 49 64 3d 22 54 69 74 6c 65 22 3e 4d 69 63 72 6f 73 6f 66 74 20 2e 4e 45 54 20 46 72 61 6d 65 77 6f 72 6b 20 72 65 71 75

Copyright Joe Security LLC 2019 Page 51 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 2167 3c 3f 78 6d 6c 20 76 .. .. 22 31 2e 30 22 20 65 .. Copyright 2d 2d 0d 0a 20 20 3c (c) 2004, Outercurve 63 6f 70 79 72 69 67 Foundation... This 68 74 20 66 69 6c 65 software is released under 3d 22 6d 62 61 70 72 Microsoft Reciprocal 65 71 2e 77 78 6c 22 License (MS-RL)... The 20 63 6f 6d 70 61 6e license and 79 3d 22 4f 75 74 65 72 63 75 72 76 65 20 46 6f 75 6e 64 61 74 69 6f 6e 22 3e 0d 0a 20 20 20 20 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32 30 30 34 2c 20 4f 75 74 65 72 63 75 72 76 65 20 46 6f 75 6e 64 61 74 69 6f 6e 2e 0d 0a 20 20 20 20 54 68 69 73 20 73 6f 66 74 77 61 72 65 20 69 73 20 72 65 6c 65 61 73 65 64 20 75 6e 64 65 72 20 4d 69 63 72 6f 73 6f 66 74 20 52 65 63 69 70 72 6f 63 61 6c 20 4c 69 63 65 6e 73 65 20 28 4d 53 2d 52 4c 29 2e 0d 0a 20 20 20 20 54 68 65 20 6c 69 63 65 6e 73 65 20 61 6e 64 20 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 2600 3c 3f 78 6d 6c 20 76 .. .. 22 31 2e 30 22 20 65 .. Copyright 2d 2d 0d 0a 20 20 3c (c) 2004, Outercurve 63 6f 70 79 72 69 67 Foundation... This 68 74 20 66 69 6c 65 software is released under 3d 22 6d 62 61 70 72 Microsoft Reciprocal 65 71 2e 77 78 6c 22 License (MS-RL)... The 20 63 6f 6d 70 61 6e license and 79 3d 22 4f 75 74 65 72 63 75 72 76 65 20 46 6f 75 6e 64 61 74 69 6f 6e 22 3e 0d 0a 20 20 20 20 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32 30 30 34 2c 20 4f 75 74 65 72 63 75 72 76 65 20 46 6f 75 6e 64 61 74 69 6f 6e 2e 0d 0a 20 20 20 20 54 68 69 73 20 73 6f 66 74 77 61 72 65 20 69 73 20 72 65 6c 65 61 73 65 64 20 75 6e 64 65 72 20 4d 69 63 72 6f 73 6f 66 74 20 52 65 63 69 70 72 6f 63 61 6c 20 4c 69 63 65 6e 73 65 20 28 4d 53 2d 52 4c 29 2e 0d 0a 20 20 20 20 54 68 65 20 6c 69 63 65 6e 73 65 20 61 6e 64 20

Copyright Joe Security LLC 2019 Page 52 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 172 3c 3f 78 6d 6c 20 76 .. .. 22 31 2e 30 22 20 65 .. Copyright 2d 2d 0d 0a 20 20 3c (c) 2004, Outercurve 63 6f 70 79 72 69 67 Foundation... This sof 68 74 20 66 69 6c 65 3d 22 6d 62 61 70 72 65 71 2e 77 78 6c 22 20 63 6f 6d 70 61 6e 79 3d 22 4f 75 74 65 72 63 75 72 76 65 20 46 6f 75 6e 64 61 74 69 6f 6e 22 3e 0d 0a 20 20 20 20 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32 30 30 34 2c 20 4f 75 74 65 72 63 75 72 76 65 20 46 6f 75 6e 64 61 74 69 6f 6e 2e 0d 0a 20 20 20 20 54 68 69 73 20 73 6f 66 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 2534 3c 3f 78 6d 6c 20 76 .. .. 22 31 2e 30 22 20 65 .. Copyright 2d 2d 0d 0a 20 20 3c (c) 2004, Outercurve 63 6f 70 79 72 69 67 Foundation... This 68 74 20 66 69 6c 65 software is released under 3d 22 6d 62 61 70 72 Microsoft Reciprocal 65 71 2e 77 78 6c 22 License (MS-RL)... The 20 63 6f 6d 70 61 6e license and 79 3d 22 4f 75 74 65 72 63 75 72 76 65 20 46 6f 75 6e 64 61 74 69 6f 6e 22 3e 0d 0a 20 20 20 20 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32 30 30 34 2c 20 4f 75 74 65 72 63 75 72 76 65 20 46 6f 75 6e 64 61 74 69 6f 6e 2e 0d 0a 20 20 20 20 54 68 69 73 20 73 6f 66 74 77 61 72 65 20 69 73 20 72 65 6c 65 61 73 65 64 20 75 6e 64 65 72 20 4d 69 63 72 6f 73 6f 66 74 20 52 65 63 69 70 72 6f 63 61 6c 20 4c 69 63 65 6e 73 65 20 28 4d 53 2d 52 4c 29 2e 0d 0a 20 20 20 20 54 68 65 20 6c 69 63 65 6e 73 65 20 61 6e 64 20

Copyright Joe Security LLC 2019 Page 53 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 3542 3c 3f 78 6d 6c 20 76 .. .. 22 31 2e 30 22 20 65 .. Copyright 2d 2d 0d 0a 20 20 3c (c) 2004, Outercurve 63 6f 70 79 72 69 67 Foundation... This 68 74 20 66 69 6c 65 software is released under 3d 22 6d 62 61 70 72 Microsoft Reciprocal 65 71 2e 77 78 6c 22 License (MS-RL)... The 20 63 6f 6d 70 61 6e license and 79 3d 22 4f 75 74 65 72 63 75 72 76 65 20 46 6f 75 6e 64 61 74 69 6f 6e 22 3e 0d 0a 20 20 20 20 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32 30 30 34 2c 20 4f 75 74 65 72 63 75 72 76 65 20 46 6f 75 6e 64 61 74 69 6f 6e 2e 0d 0a 20 20 20 20 54 68 69 73 20 73 6f 66 74 77 61 72 65 20 69 73 20 72 65 6c 65 61 73 65 64 20 75 6e 64 65 72 20 4d 69 63 72 6f 73 6f 66 74 20 52 65 63 69 70 72 6f 63 61 6c 20 4c 69 63 65 6e 73 65 20 28 4d 53 2d 52 4c 29 2e 0d 0a 20 20 20 20 54 68 65 20 6c 69 63 65 6e 73 65 20 61 6e 64 20 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 2377 3c 3f 78 6d 6c 20 76 .. .. 22 31 2e 30 22 20 65 .. Copyright 2d 2d 0d 0a 20 20 3c (c) 2004, Outercurve 63 6f 70 79 72 69 67 Foundation... This 68 74 20 66 69 6c 65 software is released under 3d 22 6d 62 61 70 72 Microsoft Reciprocal 65 71 2e 77 78 6c 22 License (MS-RL)... The 20 63 6f 6d 70 61 6e license and 79 3d 22 4f 75 74 65 72 63 75 72 76 65 20 46 6f 75 6e 64 61 74 69 6f 6e 22 3e 0d 0a 20 20 20 20 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32 30 30 34 2c 20 4f 75 74 65 72 63 75 72 76 65 20 46 6f 75 6e 64 61 74 69 6f 6e 2e 0d 0a 20 20 20 20 54 68 69 73 20 73 6f 66 74 77 61 72 65 20 69 73 20 72 65 6c 65 61 73 65 64 20 75 6e 64 65 72 20 4d 69 63 72 6f 73 6f 66 74 20 52 65 63 69 70 72 6f 63 61 6c 20 4c 69 63 65 6e 73 65 20 28 4d 53 2d 52 4c 29 2e 0d 0a 20 20 20 20 54 68 65 20 6c 69 63 65 6e 73 65 20 61 6e 64 20

Copyright Joe Security LLC 2019 Page 54 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 2448 3c 3f 78 6d 6c 20 76 .. .. 22 31 2e 30 22 20 65 .. Copyright 2d 2d 0d 0a 20 20 3c (c) 2004, Outercurve 63 6f 70 79 72 69 67 Foundation... This 68 74 20 66 69 6c 65 software is released under 3d 22 6d 62 61 70 72 Microsoft Reciprocal 65 71 2e 77 78 6c 22 License (MS-RL)... The 20 63 6f 6d 70 61 6e license and 79 3d 22 4f 75 74 65 72 63 75 72 76 65 20 46 6f 75 6e 64 61 74 69 6f 6e 22 3e 0d 0a 20 20 20 20 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32 30 30 34 2c 20 4f 75 74 65 72 63 75 72 76 65 20 46 6f 75 6e 64 61 74 69 6f 6e 2e 0d 0a 20 20 20 20 54 68 69 73 20 73 6f 66 74 77 61 72 65 20 69 73 20 72 65 6c 65 61 73 65 64 20 75 6e 64 65 72 20 4d 69 63 72 6f 73 6f 66 74 20 52 65 63 69 70 72 6f 63 61 6c 20 4c 69 63 65 6e 73 65 20 28 4d 53 2d 52 4c 29 2e 0d 0a 20 20 20 20 54 68 65 20 6c 69 63 65 6e 73 65 20 61 6e 64 20 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 2534 3c 3f 78 6d 6c 20 76 .. .. 22 31 2e 30 22 20 65 .. Copyright 2d 2d 0d 0a 20 20 3c (c) 2004, Outercurve 63 6f 70 79 72 69 67 Foundation... This 68 74 20 66 69 6c 65 software is released under 3d 22 6d 62 61 70 72 Microsoft Reciprocal 65 71 2e 77 78 6c 22 License (MS-RL)... The 20 63 6f 6d 70 61 6e license and 79 3d 22 4f 75 74 65 72 63 75 72 76 65 20 46 6f 75 6e 64 61 74 69 6f 6e 22 3e 0d 0a 20 20 20 20 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32 30 30 34 2c 20 4f 75 74 65 72 63 75 72 76 65 20 46 6f 75 6e 64 61 74 69 6f 6e 2e 0d 0a 20 20 20 20 54 68 69 73 20 73 6f 66 74 77 61 72 65 20 69 73 20 72 65 6c 65 61 73 65 64 20 75 6e 64 65 72 20 4d 69 63 72 6f 73 6f 66 74 20 52 65 63 69 70 72 6f 63 61 6c 20 4c 69 63 65 6e 73 65 20 28 4d 53 2d 52 4c 29 2e 0d 0a 20 20 20 20 54 68 65 20 6c 69 63 65 6e 73 65 20 61 6e 64 20

Copyright Joe Security LLC 2019 Page 55 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 2446 3c 3f 78 6d 6c 20 76 .. .. 22 31 2e 30 22 20 65 .. Copyright 2d 2d 0d 0a 20 20 3c (c) 2004, Outercurve 63 6f 70 79 72 69 67 Foundation... This 68 74 20 66 69 6c 65 software is released under 3d 22 6d 62 61 70 72 Microsoft Reciprocal 65 71 2e 77 78 6c 22 License (MS-RL)... The 20 63 6f 6d 70 61 6e license and 79 3d 22 4f 75 74 65 72 63 75 72 76 65 20 46 6f 75 6e 64 61 74 69 6f 6e 22 3e 0d 0a 20 20 20 20 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32 30 30 34 2c 20 4f 75 74 65 72 63 75 72 76 65 20 46 6f 75 6e 64 61 74 69 6f 6e 2e 0d 0a 20 20 20 20 54 68 69 73 20 73 6f 66 74 77 61 72 65 20 69 73 20 72 65 6c 65 61 73 65 64 20 75 6e 64 65 72 20 4d 69 63 72 6f 73 6f 66 74 20 52 65 63 69 70 72 6f 63 61 6c 20 4c 69 63 65 6e 73 65 20 28 4d 53 2d 52 4c 29 2e 0d 0a 20 20 20 20 54 68 65 20 6c 69 63 65 6e 73 65 20 61 6e 64 20 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 2687 3c 3f 78 6d 6c 20 76 .. .. 22 31 2e 30 22 20 65 .. Copyright 2d 2d 0d 0a 20 20 3c (c) 2004, Outercurve 63 6f 70 79 72 69 67 Foundation... This 68 74 20 66 69 6c 65 software is released under 3d 22 6d 62 61 70 72 Microsoft Reciprocal 65 71 2e 77 78 6c 22 License (MS-RL)... The 20 63 6f 6d 70 61 6e license and 79 3d 22 4f 75 74 65 72 63 75 72 76 65 20 46 6f 75 6e 64 61 74 69 6f 6e 22 3e 0d 0a 20 20 20 20 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32 30 30 34 2c 20 4f 75 74 65 72 63 75 72 76 65 20 46 6f 75 6e 64 61 74 69 6f 6e 2e 0d 0a 20 20 20 20 54 68 69 73 20 73 6f 66 74 77 61 72 65 20 69 73 20 72 65 6c 65 61 73 65 64 20 75 6e 64 65 72 20 4d 69 63 72 6f 73 6f 66 74 20 52 65 63 69 70 72 6f 63 61 6c 20 4c 69 63 65 6e 73 65 20 28 4d 53 2d 52 4c 29 2e 0d 0a 20 20 20 20 54 68 65 20 6c 69 63 65 6e 73 65 20 61 6e 64 20

Copyright Joe Security LLC 2019 Page 56 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 2378 3c 3f 78 6d 6c 20 76 .. .. 22 31 2e 30 22 20 65 .. Copyright 2d 2d 0d 0a 20 20 3c (c) 2004, Outercurve 63 6f 70 79 72 69 67 Foundation... This 68 74 20 66 69 6c 65 software is released under 3d 22 6d 62 61 70 72 Microsoft Reciprocal 65 71 2e 77 78 6c 22 License (MS-RL)... The 20 63 6f 6d 70 61 6e license and 79 3d 22 4f 75 74 65 72 63 75 72 76 65 20 46 6f 75 6e 64 61 74 69 6f 6e 22 3e 0d 0a 20 20 20 20 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32 30 30 34 2c 20 4f 75 74 65 72 63 75 72 76 65 20 46 6f 75 6e 64 61 74 69 6f 6e 2e 0d 0a 20 20 20 20 54 68 69 73 20 73 6f 66 74 77 61 72 65 20 69 73 20 72 65 6c 65 61 73 65 64 20 75 6e 64 65 72 20 4d 69 63 72 6f 73 6f 66 74 20 52 65 63 69 70 72 6f 63 61 6c 20 4c 69 63 65 6e 73 65 20 28 4d 53 2d 52 4c 29 2e 0d 0a 20 20 20 20 54 68 65 20 6c 69 63 65 6e 73 65 20 61 6e 64 20 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 2313 3c 3f 78 6d 6c 20 76 .. .. 22 31 2e 30 22 20 65 .. Copyright 2d 2d 0d 0a 20 20 3c (c) 2004, Outercurve 63 6f 70 79 72 69 67 Foundation... This 68 74 20 66 69 6c 65 software is released under 3d 22 6d 62 61 70 72 Microsoft Reciprocal 65 71 2e 77 78 6c 22 License (MS-RL)... The 20 63 6f 6d 70 61 6e license and 79 3d 22 4f 75 74 65 72 63 75 72 76 65 20 46 6f 75 6e 64 61 74 69 6f 6e 22 3e 0d 0a 20 20 20 20 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32 30 30 34 2c 20 4f 75 74 65 72 63 75 72 76 65 20 46 6f 75 6e 64 61 74 69 6f 6e 2e 0d 0a 20 20 20 20 54 68 69 73 20 73 6f 66 74 77 61 72 65 20 69 73 20 72 65 6c 65 61 73 65 64 20 75 6e 64 65 72 20 4d 69 63 72 6f 73 6f 66 74 20 52 65 63 69 70 72 6f 63 61 6c 20 4c 69 63 65 6e 73 65 20 28 4d 53 2d 52 4c 29 2e 0d 0a 20 20 20 20 54 68 65 20 6c 69 63 65 6e 73 65 20 61 6e 64 20

Copyright Joe Security LLC 2019 Page 57 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 2510 3c 3f 78 6d 6c 20 76 .. .. 22 31 2e 30 22 20 65 .. Copyright 2d 2d 0d 0a 20 20 3c (c) 2004, Outercurve 63 6f 70 79 72 69 67 Foundation... This 68 74 20 66 69 6c 65 software is released under 3d 22 6d 62 61 70 72 Microsoft Reciprocal 65 71 2e 77 78 6c 22 License (MS-RL)... The 20 63 6f 6d 70 61 6e license and 79 3d 22 4f 75 74 65 72 63 75 72 76 65 20 46 6f 75 6e 64 61 74 69 6f 6e 22 3e 0d 0a 20 20 20 20 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32 30 30 34 2c 20 4f 75 74 65 72 63 75 72 76 65 20 46 6f 75 6e 64 61 74 69 6f 6e 2e 0d 0a 20 20 20 20 54 68 69 73 20 73 6f 66 74 77 61 72 65 20 69 73 20 72 65 6c 65 61 73 65 64 20 75 6e 64 65 72 20 4d 69 63 72 6f 73 6f 66 74 20 52 65 63 69 70 72 6f 63 61 6c 20 4c 69 63 65 6e 73 65 20 28 4d 53 2d 52 4c 29 2e 0d 0a 20 20 20 20 54 68 65 20 6c 69 63 65 6e 73 65 20 61 6e 64 20 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 2289 3c 3f 78 6d 6c 20 76 .. .. 22 31 2e 30 22 20 65 .. Copyright 2d 2d 0d 0a 20 20 3c (c) 2004, Outercurve 63 6f 70 79 72 69 67 Foundation... This 68 74 20 66 69 6c 65 software is released under 3d 22 6d 62 61 70 72 Microsoft Reciprocal 65 71 2e 77 78 6c 22 License (MS-RL)... The 20 63 6f 6d 70 61 6e license and 79 3d 22 4f 75 74 65 72 63 75 72 76 65 20 46 6f 75 6e 64 61 74 69 6f 6e 22 3e 0d 0a 20 20 20 20 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32 30 30 34 2c 20 4f 75 74 65 72 63 75 72 76 65 20 46 6f 75 6e 64 61 74 69 6f 6e 2e 0d 0a 20 20 20 20 54 68 69 73 20 73 6f 66 74 77 61 72 65 20 69 73 20 72 65 6c 65 61 73 65 64 20 75 6e 64 65 72 20 4d 69 63 72 6f 73 6f 66 74 20 52 65 63 69 70 72 6f 63 61 6c 20 4c 69 63 65 6e 73 65 20 28 4d 53 2d 52 4c 29 2e 0d 0a 20 20 20 20 54 68 65 20 6c 69 63 65 6e 73 65 20 61 6e 64 20

Copyright Joe Security LLC 2019 Page 58 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 2454 3c 3f 78 6d 6c 20 76 .. .. 22 31 2e 30 22 20 65 .. Copyright 2d 2d 0d 0a 20 20 3c (c) 2004, Outercurve 63 6f 70 79 72 69 67 Foundation... This 68 74 20 66 69 6c 65 software is released under 3d 22 6d 62 61 70 72 Microsoft Reciprocal 65 71 2e 77 78 6c 22 License (MS-RL)... The 20 63 6f 6d 70 61 6e license and 79 3d 22 4f 75 74 65 72 63 75 72 76 65 20 46 6f 75 6e 64 61 74 69 6f 6e 22 3e 0d 0a 20 20 20 20 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32 30 30 34 2c 20 4f 75 74 65 72 63 75 72 76 65 20 46 6f 75 6e 64 61 74 69 6f 6e 2e 0d 0a 20 20 20 20 54 68 69 73 20 73 6f 66 74 77 61 72 65 20 69 73 20 72 65 6c 65 61 73 65 64 20 75 6e 64 65 72 20 4d 69 63 72 6f 73 6f 66 74 20 52 65 63 69 70 72 6f 63 61 6c 20 4c 69 63 65 6e 73 65 20 28 4d 53 2d 52 4c 29 2e 0d 0a 20 20 20 20 54 68 65 20 6c 69 63 65 6e 73 65 20 61 6e 64 20 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 2476 3c 3f 78 6d 6c 20 76 .. .. 22 31 2e 30 22 20 65 .. Copyright 2d 2d 0d 0a 20 20 3c (c) 2004, Outercurve 63 6f 70 79 72 69 67 Foundation... This 68 74 20 66 69 6c 65 software is released under 3d 22 6d 62 61 70 72 Microsoft Reciprocal 65 71 2e 77 78 6c 22 License (MS-RL)... The 20 63 6f 6d 70 61 6e license and 79 3d 22 4f 75 74 65 72 63 75 72 76 65 20 46 6f 75 6e 64 61 74 69 6f 6e 22 3e 0d 0a 20 20 20 20 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32 30 30 34 2c 20 4f 75 74 65 72 63 75 72 76 65 20 46 6f 75 6e 64 61 74 69 6f 6e 2e 0d 0a 20 20 20 20 54 68 69 73 20 73 6f 66 74 77 61 72 65 20 69 73 20 72 65 6c 65 61 73 65 64 20 75 6e 64 65 72 20 4d 69 63 72 6f 73 6f 66 74 20 52 65 63 69 70 72 6f 63 61 6c 20 4c 69 63 65 6e 73 65 20 28 4d 53 2d 52 4c 29 2e 0d 0a 20 20 20 20 54 68 65 20 6c 69 63 65 6e 73 65 20 61 6e 64 20

Copyright Joe Security LLC 2019 Page 59 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 2274 3c 3f 78 6d 6c 20 76 .. .. 22 31 2e 30 22 20 65 .. Copyright 2d 2d 0d 0a 20 20 3c (c) 2004, Outercurve 63 6f 70 79 72 69 67 Foundation... This 68 74 20 66 69 6c 65 software is released under 3d 22 6d 62 61 70 72 Microsoft Reciprocal 65 71 2e 77 78 6c 22 License (MS-RL)... The 20 63 6f 6d 70 61 6e license and 79 3d 22 4f 75 74 65 72 63 75 72 76 65 20 46 6f 75 6e 64 61 74 69 6f 6e 22 3e 0d 0a 20 20 20 20 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32 30 30 34 2c 20 4f 75 74 65 72 63 75 72 76 65 20 46 6f 75 6e 64 61 74 69 6f 6e 2e 0d 0a 20 20 20 20 54 68 69 73 20 73 6f 66 74 77 61 72 65 20 69 73 20 72 65 6c 65 61 73 65 64 20 75 6e 64 65 72 20 4d 69 63 72 6f 73 6f 66 74 20 52 65 63 69 70 72 6f 63 61 6c 20 4c 69 63 65 6e 73 65 20 28 4d 53 2d 52 4c 29 2e 0d 0a 20 20 20 20 54 68 65 20 6c 69 63 65 6e 73 65 20 61 6e 64 20 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 2445 3c 3f 78 6d 6c 20 76 .. .. 22 31 2e 30 22 20 65 .. Copyright 2d 2d 0d 0a 20 20 3c (c) 2004, Outercurve 63 6f 70 79 72 69 67 Foundation... This 68 74 20 66 69 6c 65 software is released under 3d 22 6d 62 61 70 72 Microsoft Reciprocal 65 71 2e 77 78 6c 22 License (MS-RL)... The 20 63 6f 6d 70 61 6e license and 79 3d 22 4f 75 74 65 72 63 75 72 76 65 20 46 6f 75 6e 64 61 74 69 6f 6e 22 3e 0d 0a 20 20 20 20 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32 30 30 34 2c 20 4f 75 74 65 72 63 75 72 76 65 20 46 6f 75 6e 64 61 74 69 6f 6e 2e 0d 0a 20 20 20 20 54 68 69 73 20 73 6f 66 74 77 61 72 65 20 69 73 20 72 65 6c 65 61 73 65 64 20 75 6e 64 65 72 20 4d 69 63 72 6f 73 6f 66 74 20 52 65 63 69 70 72 6f 63 61 6c 20 4c 69 63 65 6e 73 65 20 28 4d 53 2d 52 4c 29 2e 0d 0a 20 20 20 20 54 68 65 20 6c 69 63 65 6e 73 65 20 61 6e 64 20

Copyright Joe Security LLC 2019 Page 60 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 2122 3c 3f 78 6d 6c 20 76 .. .. 22 31 2e 30 22 20 65 .. Copyright 2d 2d 0d 0a 20 20 3c (c) 2004, Outercurve 63 6f 70 79 72 69 67 Foundation... This 68 74 20 66 69 6c 65 software is released under 3d 22 6d 62 61 70 72 Microsoft Reciprocal 65 71 2e 77 78 6c 22 License (MS-RL)... The 20 63 6f 6d 70 61 6e license and 79 3d 22 4f 75 74 65 72 63 75 72 76 65 20 46 6f 75 6e 64 61 74 69 6f 6e 22 3e 0d 0a 20 20 20 20 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32 30 30 34 2c 20 4f 75 74 65 72 63 75 72 76 65 20 46 6f 75 6e 64 61 74 69 6f 6e 2e 0d 0a 20 20 20 20 54 68 69 73 20 73 6f 66 74 77 61 72 65 20 69 73 20 72 65 6c 65 61 73 65 64 20 75 6e 64 65 72 20 4d 69 63 72 6f 73 6f 66 74 20 52 65 63 69 70 72 6f 63 61 6c 20 4c 69 63 65 6e 73 65 20 28 4d 53 2d 52 4c 29 2e 0d 0a 20 20 20 20 54 68 65 20 6c 69 63 65 6e 73 65 20 61 6e 64 20 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 2353 3c 3f 78 6d 6c 20 76 .. .. 22 31 2e 30 22 20 65 .. Copyright 2d 2d 0d 0a 20 20 3c (c) 2004, Outercurve 63 6f 70 79 72 69 67 Foundation... This 68 74 20 66 69 6c 65 software is released under 3d 22 6d 62 61 70 72 Microsoft Reciprocal 65 71 2e 77 78 6c 22 License (MS-RL)... The 20 63 6f 6d 70 61 6e license and 79 3d 22 4f 75 74 65 72 63 75 72 76 65 20 46 6f 75 6e 64 61 74 69 6f 6e 22 3e 0d 0a 20 20 20 20 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32 30 30 34 2c 20 4f 75 74 65 72 63 75 72 76 65 20 46 6f 75 6e 64 61 74 69 6f 6e 2e 0d 0a 20 20 20 20 54 68 69 73 20 73 6f 66 74 77 61 72 65 20 69 73 20 72 65 6c 65 61 73 65 64 20 75 6e 64 65 72 20 4d 69 63 72 6f 73 6f 66 74 20 52 65 63 69 70 72 6f 63 61 6c 20 4c 69 63 65 6e 73 65 20 28 4d 53 2d 52 4c 29 2e 0d 0a 20 20 20 20 54 68 65 20 6c 69 63 65 6e 73 65 20 61 6e 64 20

Copyright Joe Security LLC 2019 Page 61 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 2542 3c 3f 78 6d 6c 20 76 .. .. 22 31 2e 30 22 20 65 .. Copyright 2d 2d 0d 0a 20 20 3c (c) 2004, Outercurve 63 6f 70 79 72 69 67 Foundation... This 68 74 20 66 69 6c 65 software is released under 3d 22 6d 62 61 70 72 Microsoft Reciprocal 65 71 2e 77 78 6c 22 License (MS-RL)... The 20 63 6f 6d 70 61 6e license and 79 3d 22 4f 75 74 65 72 63 75 72 76 65 20 46 6f 75 6e 64 61 74 69 6f 6e 22 3e 0d 0a 20 20 20 20 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32 30 30 34 2c 20 4f 75 74 65 72 63 75 72 76 65 20 46 6f 75 6e 64 61 74 69 6f 6e 2e 0d 0a 20 20 20 20 54 68 69 73 20 73 6f 66 74 77 61 72 65 20 69 73 20 72 65 6c 65 61 73 65 64 20 75 6e 64 65 72 20 4d 69 63 72 6f 73 6f 66 74 20 52 65 63 69 70 72 6f 63 61 6c 20 4c 69 63 65 6e 73 65 20 28 4d 53 2d 52 4c 29 2e 0d 0a 20 20 20 20 54 68 65 20 6c 69 63 65 6e 73 65 20 61 6e 64 20 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 17988 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 12 B735D4 WriteFile a711-29f5953d68e8}\.ba1\QINetwork.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... }?:..Qi..Qi..Qi.d.i.. 00 00 00 00 00 00 00 Qi'xRh..Qi'xUh..Qi'xPh..Qi' 00 00 00 00 00 00 00 xTh 00 00 00 10 01 00 00 ..Qi.xPh..Qi.|Ph..Qi..Pi..Qi. 0e 1f ba 0e 00 b4 09 x cd 21 b8 01 4c cd 21 Uh..Qi.xTh..Qi.xQh..Qi.x.i.. 54 68 69 73 20 70 72 Qi...i..Qi.xSh..Q 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b1 7d 3f 3a f5 1c 51 69 f5 1c 51 69 f5 1c 51 69 fc 64 c2 69 fb 1c 51 69 27 78 52 68 f6 1c 51 69 27 78 55 68 fe 1c 51 69 27 78 50 68 f1 1c 51 69 27 78 54 68 ec 1c 51 69 1e 78 50 68 f7 1c 51 69 d7 7c 50 68 f2 1c 51 69 f5 1c 50 69 e3 1d 51 69 1e 78 55 68 f7 1c 51 69 1e 78 54 68 e7 1c 51 69 1e 78 51 68 f4 1c 51 69 1e 78 ae 69 f4 1c 51 69 f5 1c c6 69 f4 1c 51 69 1e 78 53 68 f4 1c 51

Copyright Joe Security LLC 2019 Page 62 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 16020 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 85 B735D4 WriteFile a711-29f5953d68e8}\.ba1\QIUtils.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... @9...j...j...j...j.. 00 00 00 00 00 00 00 .jy..j...j5.-k...j5.*k...j5./k 00 00 00 00 00 00 00 ...j5.+k...j..(k...j../k...j.. 00 00 00 20 01 00 00 /j...j..*k...j..+k9..j...k...j 0e 1f ba 0e 00 b4 09 ...j...j...j... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a3 c8 40 39 e7 a9 2e 6a e7 a9 2e 6a e7 a9 2e 6a ee d1 bd 6a f3 a9 2e 6a 79 09 e9 6a ef a9 2e 6a 35 cd 2d 6b e8 a9 2e 6a 35 cd 2a 6b eb a9 2e 6a 35 cd 2f 6b e3 a9 2e 6a 35 cd 2b 6b c5 a9 2e 6a c5 c9 28 6b e0 a9 2e 6a c5 c9 2f 6b fa a9 2e 6a e7 a9 2f 6a bb ab 2e 6a 0c cd 2a 6b e6 a9 2e 6a 0c cd 2b 6b 39 a9 2e 6a 0c cd 2e 6b e6 a9 2e 6a 0c cd d1 6a e6 a9 2e 6a e7 a9 b9 6a e6 a9 2e C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 28388 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 3 B735D4 WriteFile a711-29f5953d68e8}\.ba1\vcruntime140.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... ~..6:..e:..e:..e.!+e8. 00 00 00 00 00 00 00 .e3.We1..e:..e...ep..d*..ep.. 00 00 00 00 00 00 00 d 00 00 00 f8 00 00 00 )..ep..d>..ep..d#..ep..d;..ep. 0e 1f ba 0e 00 b4 09 ;e;..ep..d;..eRich:..e...... cd 21 b8 01 4c cd 21 ...... PE..L.. 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 7e dc aa 36 3a bd c4 65 3a bd c4 65 3a bd c4 65 8e 21 2b 65 38 bd c4 65 33 c5 57 65 31 bd c4 65 3a bd c5 65 10 bd c4 65 70 d8 c0 64 2a bd c4 65 70 d8 c7 64 29 bd c4 65 70 d8 c1 64 3e bd c4 65 70 d8 cc 64 23 bd c4 65 70 d8 c4 64 3b bd c4 65 70 d8 3b 65 3b bd c4 65 70 d8 c6 64 3b bd c4 65 52 69 63 68 3a bd c4 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05

Copyright Joe Security LLC 2019 Page 63 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 6572 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 319 B735D4 WriteFile a711-29f5953d68e8}\.ba1\XmlManagedMsgApp.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L...... \...... 00 00 00 00 00 00 00 .!..0...... &...... 00 00 00 00 00 00 00 ...... @ 00 00 00 80 00 00 00 ...... =.....@...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 91 1e 80 5c 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 30 00 00 c4 9e 00 00 06 00 00 00 00 00 00 26 e2 9e 00 00 20 00 00 00 00 9f 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 9f 00 00 02 00 00 3d db 9e 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 19884 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 43 B735D4 WriteFile a711-29f5953d68e8}\.ba1\XmlManagedMsgBase.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L...... \...... 00 00 00 00 00 00 00 .!..0...... +...... @...... 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 ...... 4.....@...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 95 1e 80 5c 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 30 00 00 0c 15 00 00 06 00 00 00 00 00 00 b2 2b 15 00 00 20 00 00 00 40 15 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 15 00 00 02 00 00 34 a2 15 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00

Copyright Joe Security LLC 2019 Page 64 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 14764 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 17 B735D4 WriteFile a711-29f5953d68e8}\.ba1\XmlManagedMsgInstall.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode....$...... PE..L...... 00 00 00 00 00 00 00 [...... !..0..*...... zH... 00 00 00 00 00 00 00 ...`...... 00 00 00 00 00 00 00 ...... n....@...... 00 00 00 80 00 00 00 ...... 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 d7 b7 a5 5b 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 30 00 00 2a 08 00 00 06 00 00 00 00 00 00 7a 48 08 00 00 20 00 00 00 60 08 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 08 00 00 02 00 00 ae 6e 08 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 1964 3c 3f 78 6d 6c 20 76 .. 22 31 2e 30 22 20 65 ... 70 64 61 74 65 50 61 .... 74 63 68 65 73 5f 50 ..........

Copyright Joe Security LLC 2019 Page 65 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 29281 3c 49 6e 73 74 61 6c .. success or wait 1 B735D4 WriteFile a711-29f5953d68e8}\.ba1\InstallConfig.xml 6c 43 6f 6e 66 69 67 .. 75 72 61 74 69 6f 6e CV 3e 0d 0a 20 20 3c 45 ExplorerPlugin.dll 78 70 6c 6f 72 65 72 .. .. 42 69 6e 61 72 69 65 .. 20 20 20 3c 4e 61 6d explorer.exe .. .. 3e 20 0d 0a 20 20 3c .. cv_xerce 65 72 42 69 6e 61 72 69 65 73 3e 0d 0a 20 20 3c 45 78 70 6c 6f 72 65 72 50 72 6f 63 65 73 73 65 73 54 6f 49 67 6e 6f 72 65 3e 0d 0a 20 20 20 20 20 20 3c 4e 61 6d 65 3e 65 78 70 6c 6f 72 65 72 2e 65 78 65 3c 2f 4e 61 6d 65 3e 20 0d 0a 20 20 3c 2f 45 78 70 6c 6f 72 65 72 50 72 6f 63 65 73 73 65 73 54 6f 49 67 6e 6f 72 65 3e 0d 0a 20 20 3c 52 65 6d 6f 76 65 55 70 64 61 74 65 73 42 69 6e 61 72 69 65 73 3e 0d 0a 20 20 20 20 20 20 3c 4e 61 6d 65 3e 63 76 5f 78 65 72 63 65 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 3148 ff fe 3c 00 3f 00 78 00 ..<.?.x.m.l. .v.e.r.s.i.o.n.=. success or wait 93 B735D4 WriteFile a711-29f5953d68e8}\.ba1\BootstrapperApplicationData.xml 6d 00 6c 00 20 00 76 ".1...0.". .e.n.c.o.d.i.n.g.=. 00 65 00 72 00 73 00 ".u.t.f.-.1.6.".?.>.....<.B.o. 69 00 6f 00 6e 00 3d o.t.s.t.r.a.p.p.e.r.A.p.p.l.i. 00 22 00 31 00 2e 00 c.a.t.i.o.n.D.a.t.a. .x.m.l.n. 30 00 22 00 20 00 65 s.=.".h.t.t.p.:././.s.c.h.e.m. 00 6e 00 63 00 6f 00 a.s...m.i.c.r.o.s.o.f.t...c.o. 64 00 69 00 6e 00 67 m./.w.i.x./.2.0.1.0./.B.o.o.t. 00 3d 00 22 00 75 00 s.t.r.a.p.p.e.r 74 00 66 00 2d 00 31 00 36 00 22 00 3f 00 3e 00 0d 00 0a 00 3c 00 42 00 6f 00 6f 00 74 00 73 00 74 00 72 00 61 00 70 00 70 00 65 00 72 00 41 00 70 00 70 00 6c 00 69 00 63 00 61 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 20 00 78 00 6d 00 6c 00 6e 00 73 00 3d 00 22 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 73 00 63 00 68 00 65 00 6d 00 61 00 73 00 2e 00 6d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 63 00 6f 00 6d 00 2f 00 77 00 69 00 78 00 2f 00 32 00 30 00 31 00 30 00 2f 00 42 00 6f 00 6f 00 74 00 73 00 74 00 72 00 61 00 70 00 70 00 65 00 72

Copyright Joe Security LLC 2019 Page 66 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Te unknown 485 5b 31 31 41 38 3a 30 [11A8:09C8][2019-07- success or wait 1 B80FBA WriteFile mp\Commvault_ContentStore_20190725045308.log 39 43 38 5d 5b 32 30 25T04:52:51]i001: Burn 31 39 2d 30 37 2d 32 v3.8.1128.0, Windows v6.3 35 54 30 34 3a 35 32 (Build 9600: Service Pack 3a 35 31 5d 69 30 30 0), path: C:\Users\user\D 31 3a 20 42 75 72 6e esktop\Setup.exe, cmdline: 20 76 33 2e 38 2e 31 '-burn.unelevated 31 32 38 2e 30 2c 20 BurnPipe.{5B24ECE1- 57 69 6e 64 6f 77 73 7AA3-4B09-9F16- 20 76 36 2e 33 20 28 D2569B9C6335} 42 75 69 6c 64 20 39 {31AC7A97-3AA5-40B9- 36 30 30 3a 20 53 65 99E2-217A539112EA} 26 72 76 69 63 65 20 50 61 63 6b 20 30 29 2c 20 70 61 74 68 3a 20 43 3a 5c 55 73 65 72 73 5c 47 75 63 63 69 5c 44 65 73 6b 74 6f 70 5c 53 65 74 75 70 2e 65 78 65 2c 20 63 6d 64 6c 69 6e 65 3a 20 27 2d 62 75 72 6e 2e 75 6e 65 6c 65 76 61 74 65 64 20 42 75 72 6e 50 69 70 65 2e 7b 35 42 32 34 45 43 45 31 2d 37 41 41 33 2d 34 42 30 39 2d 39 46 31 36 2d 44 32 35 36 39 42 39 43 36 33 33 35 7d 20 7b 33 31 41 43 37 41 39 37 2d 33 41 41 35 2d 34 30 42 39 2d 39 39 45 32 2d 32 31 37 41 35 33 39 31 31 32 45 41 7d 20 32 36 C:\Users\user\AppData\Local\Te unknown 165 5b 31 31 41 38 3a 30 [11A8:09C8][2019-07- success or wait 1 B80FBA WriteFile mp\Commvault_ContentStore_20190725045308.log 39 43 38 5d 5b 32 30 25T04:53:08]i000: Setting 31 39 2d 30 37 2d 32 string variable 35 54 30 34 3a 35 33 'WixBundleLog' to value 3a 30 38 5d 69 30 30 'C:\ 30 3a 20 53 65 74 74 Users\user\AppData\Local\ 69 6e 67 20 73 74 72 Temp\ 69 6e 67 20 76 61 72 Commvault_ContentStore_ 69 61 62 6c 65 20 27 20190725045308.log'.. 57 69 78 42 75 6e 64 6c 65 4c 6f 67 27 20 74 6f 20 76 61 6c 75 65 20 27 43 3a 5c 55 73 65 72 73 5c 47 75 63 63 69 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 54 65 6d 70 5c 43 6f 6d 6d 76 61 75 6c 74 5f 43 6f 6e 74 65 6e 74 53 74 6f 72 65 5f 32 30 31 39 30 37 32 35 30 34 35 33 30 38 2e 6c 6f 67 27 0d 0a C:\Users\user\AppData\Local\Te unknown 133 5b 31 31 41 38 3a 30 [11A8:09C8][2019-07- success or wait 1 B80FBA WriteFile mp\Commvault_ContentStore_20190725045308.log 39 43 38 5d 5b 32 30 25T04:53:08]i000: Setting 31 39 2d 30 37 2d 32 string variable 35 54 30 34 3a 35 33 'WixBundleOriginalSource' 3a 30 38 5d 69 30 30 to value 30 3a 20 53 65 74 74 'C:\Users\user\Desktop\ 69 6e 67 20 73 74 72 Setup.exe'.. 69 6e 67 20 76 61 72 69 61 62 6c 65 20 27 57 69 78 42 75 6e 64 6c 65 4f 72 69 67 69 6e 61 6c 53 6f 75 72 63 65 27 20 74 6f 20 76 61 6c 75 65 20 27 43 3a 5c 55 73 65 72 73 5c 47 75 63 63 69 5c 44 65 73 6b 74 6f 70 5c 53 65 74 75 70 2e 65 78 65 27 0d 0a

Copyright Joe Security LLC 2019 Page 67 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Te unknown 113 5b 31 31 41 38 3a 30 [11A8:09C8][2019-07- success or wait 1 B80FBA WriteFile mp\Commvault_ContentStore_20190725045308.log 39 43 38 5d 5b 32 30 25T04:53:08]i000: Setting 31 39 2d 30 37 2d 32 string variable 35 54 30 34 3a 35 33 'WixBundleName' to value 3a 30 38 5d 69 30 30 'Commvault 30 3a 20 53 65 74 74 ContentStore'.. 69 6e 67 20 73 74 72 69 6e 67 20 76 61 72 69 61 62 6c 65 20 27 57 69 78 42 75 6e 64 6c 65 4e 61 6d 65 27 20 74 6f 20 76 61 6c 75 65 20 27 43 6f 6d 6d 76 61 75 6c 74 20 43 6f 6e 74 65 6e 74 53 74 6f 72 65 27 0d 0a C:\Users\user\AppData\Local\Te unknown 81 5b 31 31 41 38 3a 30 [11A8:09C8][2019-07- success or wait 1 B80FBA WriteFile mp\Commvault_ContentStore_20190725045308.log 39 43 38 5d 5b 32 30 25T04:53:08]i000: Loading 31 39 2d 30 37 2d 32 managed bootstrapper 35 54 30 34 3a 35 33 application... 3a 30 38 5d 69 30 30 30 3a 20 4c 6f 61 64 69 6e 67 20 6d 61 6e 61 67 65 64 20 62 6f 6f 74 73 74 72 61 70 70 65 72 20 61 70 70 6c 69 63 61 74 69 6f 6e 2e 0d 0a C:\Users\user\AppData\Local\Te unknown 81 5b 31 31 41 38 3a 30 [11A8:09C8][2019-07- success or wait 1 B80FBA WriteFile mp\Commvault_ContentStore_20190725045308.log 39 43 38 5d 5b 32 30 25T04:53:08]i000: 31 39 2d 30 37 2d 32 Creating BA thread to run 35 54 30 34 3a 35 33 asynchronously... 3a 30 38 5d 69 30 30 30 3a 20 43 72 65 61 74 69 6e 67 20 42 41 20 74 68 72 65 61 64 20 74 6f 20 72 75 6e 20 61 73 79 6e 63 68 72 6f 6e 6f 75 73 6c 79 2e 0d 0a C:\ProgramData\Commvault Syste unknown 58 30 37 2f 32 35 2f 32 07/25/2019 success or wait 1 6BBF1B4F WriteFile ms\Galaxy\LogFiles\Install.log 30 31 39 20 30 34 3a 04:53:08.Culture name is 35 33 3a 30 38 09 43 identified as: en-US.. 75 6c 74 75 72 65 20 6e 61 6d 65 20 69 73 20 69 64 65 6e 74 69 66 69 65 64 20 61 73 3a 20 65 6e 2d 55 53 0d 0a C:\ProgramData\Commvault Syste unknown 57 30 37 2f 32 35 2f 32 07/25/2019 success or wait 1 6BBF1B4F WriteFile ms\Galaxy\LogFiles\Install.log 30 31 39 20 30 34 3a 04:53:08.Application 35 33 3a 30 38 09 41 Culture is set to en-US.. 70 70 6c 69 63 61 74 69 6f 6e 20 43 75 6c 74 75 72 65 20 69 73 20 73 65 74 20 74 6f 20 65 6e 2d 55 53 0d 0a C:\ProgramData\Commvault Syste unknown 94 30 37 2f 32 35 2f 32 07/25/2019 success or wait 1 6BBF1B4F WriteFile ms\Galaxy\LogFiles\Install.log 30 31 39 20 30 34 3a 04:53:08.Loading the 35 33 3a 30 38 09 4c ResourceFile 6f 61 64 69 6e 67 20 InstallCommon.R 74 68 65 20 52 65 73 esources.InstallLocale.res 6f 75 72 63 65 46 69 ources.. 6c 65 20 49 6e 73 74 61 6c 6c 43 6f 6d 6d 6f 6e 2e 52 65 73 6f 75 72 63 65 73 2e 49 6e 73 74 61 6c 6c 4c 6f 63 61 6c 65 2e 72 65 73 6f 75 72 63 65 73 0d 0a

Copyright Joe Security LLC 2019 Page 68 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\ProgramData\Commvault Syste unknown 90 30 37 2f 32 35 2f 32 07/25/2019 04:53:08.The success or wait 1 6BBF1B4F WriteFile ms\Galaxy\LogFiles\Install.log 30 31 39 20 30 34 3a setup is launched by user- 35 33 3a 30 38 09 54 PC\user with Administrator 68 65 20 73 65 74 75 privilege.. 70 20 69 73 20 6c 61 75 6e 63 68 65 64 20 62 79 20 47 55 43 43 49 2d 50 43 5c 47 75 63 63 69 20 77 69 74 68 20 41 64 6d 69 6e 69 73 74 72 61 74 6f 72 20 70 72 69 76 69 6c 65 67 65 0d 0a C:\ProgramData\Commvault Systems\Galaxy\LogFiles\2019- unknown 72 ef bb bf 2a 2a 2a 2a ...*************************** success or wait 1 6BBF1B4F WriteFile 07-25 04-53-08\Install.log 2a 2a 2a 2a 2a 2a 2a ****************************** 2a 2a 2a 2a 2a 2a 2a **********.. 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a C:\ProgramData\Commvault Systems\Galaxy\LogFiles\2019- unknown 28 20 20 4d 61 63 68 69 Machine .: 302494.. success or wait 1 6BBF1B4F WriteFile 07-25 04-53-08\Install.log 6e 65 20 20 20 20 20 20 20 20 09 3a 20 33 30 32 34 39 34 0d 0a C:\ProgramData\Commvault Systems\Galaxy\LogFiles\2019- unknown 33 20 20 4d 6f 64 75 6c Module .: Install.lo success or wait 1 6BBF1B4F WriteFile 07-25 04-53-08\Install.log 65 20 20 20 20 20 20 g.. 20 20 20 09 3a 20 49 6e 73 74 61 6c 6c 2e 6c 6f 67 0d 0a C:\ProgramData\Commvault Systems\Galaxy\LogFiles\2019- unknown 22 20 20 43 6f 6d 6d 73 Commserver .: .. success or wait 1 6BBF1B4F WriteFile 07-25 04-53-08\Install.log 65 72 76 65 72 20 20 20 20 20 09 3a 20 0d 0a C:\ProgramData\Commvault Systems\Galaxy\LogFiles\2019- unknown 33 20 20 50 72 6f 64 75 Product Version.: success or wait 1 6BBF1B4F WriteFile 07-25 04-53-08\Install.log 63 74 20 56 65 72 73 11.80.140.0.. 69 6f 6e 09 3a 20 31 31 2e 38 30 2e 31 34 30 2e 30 0d 0a C:\ProgramData\Commvault Systems\Galaxy\LogFiles\2019- unknown 53 20 20 4f 53 20 56 65 OS Version .: success or wait 1 6BBF1B4F WriteFile 07-25 04-53-08\Install.log 72 73 69 6f 6e 20 20 Microsoft Windows NT 20 20 20 09 3a 20 4d 6.3.9600.0.. 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 33 2e 39 36 30 30 2e 30 0d 0a C:\ProgramData\Commvault Systems\Galaxy\LogFiles\2019- unknown 31 20 20 44 61 74 65 20 Date .: 7/25/2019.. success or wait 1 6BBF1B4F WriteFile 07-25 04-53-08\Install.log 20 20 20 20 20 20 20 20 20 20 09 3a 20 37 2f 32 35 2f 32 30 31 39 0d 0a C:\ProgramData\Commvault Systems\Galaxy\LogFiles\2019- unknown 69 2a 2a 2a 2a 2a 2a 2a ****************************** success or wait 1 6BBF1B4F WriteFile 07-25 04-53-08\Install.log 2a 2a 2a 2a 2a 2a 2a ****************************** 2a 2a 2a 2a 2a 2a 2a *******.. 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a

Copyright Joe Security LLC 2019 Page 69 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\ProgramData\Commvault Systems\Galaxy\LogFiles\2019- unknown 242 34 35 32 30 20 20 34 4520 4 07/25 04:53:09 success or wait 3 6BBF1B4F WriteFile 07-25 04-53-08\Install.log 20 20 20 20 20 30 37 ### 2f 32 35 20 30 34 3a ManagedLogger::SetCLRT 35 33 3a 30 39 20 23 hreadPoolMaxThreads - 23 23 20 20 4d 61 6e CLR ThreadPool's max 61 67 65 64 4c 6f 67 threads is already set by 67 65 72 3a 3a 53 65 another thread in the proce 74 43 4c 52 54 68 72 ss. maxWorkerThreads = 65 61 64 50 6f 6f 6c [1000], maxIOThreads = 4d 61 78 54 68 72 65 [1000], PID = [4520], 61 64 73 20 2d 20 43 ProcessName = [Setup]... 4c 52 20 54 68 72 65 61 64 50 6f 6f 6c 27 73 20 6d 61 78 20 74 68 72 65 61 64 73 20 69 73 20 61 6c 72 65 61 64 79 20 73 65 74 20 62 79 20 61 6e 6f 74 68 65 72 20 74 68 72 65 61 64 20 69 6e 20 74 68 65 20 70 72 6f 63 65 73 73 2e 20 6d 61 78 57 6f 72 6b 65 72 54 68 72 65 61 64 73 20 3d 20 5b 31 30 30 30 5d 2c 20 6d 61 78 49 4f 54 68 72 65 61 64 73 20 3d 20 5b 31 30 30 30 5d 2c 20 50 49 44 20 3d 20 5b 34 35 32 30 5d 2c 20 50 72 6f 63 65 73 73 4e 61 6d 65 20 3d 20 5b 53 65 74 75 70 5d 2e 0d 0a C:\Users\user\AppData\Local\Te unknown 91 5b 31 31 41 38 3a 31 [11A8:10B8][2019-07- success or wait 1 B80FBA WriteFile mp\Commvault_ContentStore_20190725045308.log 30 42 38 5d 5b 32 30 25T04:53:09]i000: Setting 31 39 2d 30 37 2d 32 string variable 35 54 30 34 3a 35 33 'InstallFolder' to value ''.. 3a 30 39 5d 69 30 30 30 3a 20 53 65 74 74 69 6e 67 20 73 74 72 69 6e 67 20 76 61 72 69 61 62 6c 65 20 27 49 6e 73 74 61 6c 6c 46 6f 6c 64 65 72 27 20 74 6f 20 76 61 6c 75 65 20 27 27 0d 0a C:\ProgramData\Commvault Syste unknown 853 34 35 32 30 20 20 34 4520 4 07/25 04:53:09 success or wait 3 6BBF1B4F WriteFile ms\Galaxy\LogFiles\Install.log 20 20 20 20 20 30 37 ### ### ### - Instance log 2f 32 35 20 30 34 3a path: 35 33 3a 30 39 20 23 C:\ProgramData\Commvau 23 23 20 23 23 23 20 lt Syste 23 23 23 20 2d 20 49 ms\Galaxy\LogFiles\2019- 6e 73 74 61 6e 63 65 07-25 04-53-08..4520 4 20 6c 6f 67 20 70 61 07/25 04:53:09 ### ### 74 68 3a 20 43 3a 5c ### - ######### 50 72 6f 67 72 61 6d ###################### 44 61 74 61 5c 43 6f ######## 6d 6d 76 61 75 6c 74 ###################### 20 53 79 73 74 65 6d #############..4520 4 73 5c 47 61 6c 61 78 79 5c 4c 6f 67 46 69 6c 65 73 5c 32 30 31 39 2d 30 37 2d 32 35 20 30 34 2d 35 33 2d 30 38 0d 0a 34 35 32 30 20 20 34 20 20 20 20 20 30 37 2f 32 35 20 30 34 3a 35 33 3a 30 39 20 23 23 23 20 23 23 23 20 23 23 23 20 2d 20 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 0d 0a 34 35 32 30 20 20 34 20

Source File Path Offset Length Completion Count Address Symbol C:\Users\user\Desktop\Setup.exe unknown 64 success or wait 1 B573C5 ReadFile C:\Users\user\Desktop\Setup.exe unknown 24 success or wait 1 B57477 ReadFile C:\Users\user\Desktop\Setup.exe unknown 4 success or wait 1 B5753D ReadFile C:\Users\user\Desktop\Setup.exe unknown 4 success or wait 1 B5758F ReadFile C:\Users\user\Desktop\Setup.exe unknown 40 success or wait 1 B5763D ReadFile C:\Users\user\Desktop\Setup.exe unknown 40 success or wait 3 B5769F ReadFile C:\Users\user\Desktop\Setup.exe unknown 512 success or wait 1 B57792 ReadFile C:\Users\user\Desktop\Setup.exe unknown 36 success or wait 1 B7340C ReadFile C:\Users\user\Desktop\Setup.exe unknown 16 success or wait 83 B7340C ReadFile C:\Users\user\Desktop\Setup.exe unknown 256 success or wait 83 B7340C ReadFile C:\Users\user\Desktop\Setup.exe unknown 8 success or wait 1 B7340C ReadFile C:\Users\user\Desktop\Setup.exe unknown 8 success or wait 1 B7340C ReadFile C:\Users\user\Desktop\Setup.exe unknown 8198 success or wait 1 B7340C ReadFile C:\Users\user\Desktop\Setup.exe unknown 8 success or wait 1426 B7340C ReadFile C:\Users\user\Desktop\Setup.exe unknown 4810 success or wait 1426 B7340C ReadFile \BurnPipe.{5B24ECE1-7AA3-4B09-9F16-D2569B9C6335} unknown 4 success or wait 1 B5FB24 ReadFile \BurnPipe.{5B24ECE1-7AA3-4B09-9F16-D2569B9C6335}.Cache unknown 4 success or wait 1 B5FB24 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6CCF3625 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 6CCF3625 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4097 success or wait 1 6CCF3625 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4098 success or wait 1 6CCF3625 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 7976 success or wait 1 6CCF3625 unknown C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 unknown 4095 success or wait 1 6CCF3625 unknown f5953d68e8}\.ba1\BootstrapperCore.config C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 unknown 8173 end of file 1 6CCF3625 unknown f5953d68e8}\.ba1\BootstrapperCore.config C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e73 unknown 176 success or wait 1 6CC5EE1E ReadFile 64da399b604ae01baff696551080\mscorlib.ni.dll.aux C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 unknown 4095 success or wait 1 6CCFA974 ReadFile f5953d68e8}\.ba1\BootstrapperCore.config C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 unknown 8173 end of file 1 6CCFA974 ReadFile f5953d68e8}\.ba1\BootstrapperCore.config C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6CCFA974 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 6CCFA974 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4097 success or wait 1 6CCFA974 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4098 success or wait 1 6CCFA974 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 7976 success or wait 1 6CCFA974 ReadFile C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 unknown 4095 success or wait 1 6CCF3625 unknown f5953d68e8}\.ba1\BootstrapperCore.config C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 unknown 8173 end of file 1 6CCF3625 unknown f5953d68e8}\.ba1\BootstrapperCore.config C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Config unknown 864 success or wait 1 6CC5EE1E ReadFile uration\d88a90d2c98cca1a9d491dfeb73352be\System.Configuration.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System\84b917 unknown 620 success or wait 1 6CC5EE1E ReadFile 1c43be8428a7ceaf253e5d7738\System.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\2 unknown 900 success or wait 1 6CC5EE1E ReadFile da4cf2bb9a8f8a554da96d83ee20d39\System.Core.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\4d unknown 748 success or wait 1 6CC5EE1E ReadFile 91b386e64bacbfdf3b2db16155386b\System.Xml.ni.dll.aux C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6CCF3625 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 6CCF3625 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4097 success or wait 1 6CCF3625 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4098 success or wait 2 6CCF3625 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 7976 success or wait 1 6CCF3625 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4121 success or wait 1 6CCF3625 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4253 success or wait 1 6CCF3625 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 8171 end of file 1 6CCF3625 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6BBF1B4F ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6BBF1B4F ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 2 6BBF1B4F ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6BBF1B4F ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6BBF1B4F ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6BBF1B4F ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 2 6BBF1B4F ReadFile

Copyright Joe Security LLC 2019 Page 71 of 74 Source File Path Offset Length Completion Count Address Symbol C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 end of file 1 6BBF1B4F ReadFile C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 unknown 4096 success or wait 1 6BBF1B4F ReadFile f5953d68e8}\.ba1\BootstrapperCore.config C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 unknown 4096 end of file 1 6BBF1B4F ReadFile f5953d68e8}\.ba1\BootstrapperCore.config C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 unknown 4096 success or wait 1 6BBF1B4F ReadFile f5953d68e8}\.ba1\BootstrapperCore.config C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationC unknown 1832 success or wait 1 6CC5EE1E ReadFile ore\74e4951d24e78d60061b6f9f8d6f49f4\PresentationCore.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\7 unknown 1348 success or wait 1 6CC5EE1E ReadFile ede7502bdd935f2e31c32146e8206cf\WindowsBase.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5a unknown 2436 success or wait 1 6CC5EE1E ReadFile e0f00f#\b8254ec01c31459d7f6f66e4d6a670a5\PresentationFramework.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\9 unknown 572 success or wait 1 6CC5EE1E ReadFile 5f7be3abae719343f354f3adc883704\System.Xaml.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.Li unknown 872 success or wait 1 6CC5EE1E ReadFile nq\1594c760f82b90d7a02dabb19e0b45a2\System.Xml.Linq.ni.dll.aux C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 unknown 8192 success or wait 1 6BBF1B4F ReadFile f5953d68e8}\.ba1\WinPackages.xml C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 unknown 8192 success or wait 1 6BBF1B4F ReadFile f5953d68e8}\.ba1\WinPackages.xml C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 unknown 8192 success or wait 2 6BBF1B4F ReadFile f5953d68e8}\.ba1\WinPackages.xml C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 unknown 8192 success or wait 1 6BBF1B4F ReadFile f5953d68e8}\.ba1\WinPackages.xml C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 unknown 8192 success or wait 1 6BBF1B4F ReadFile f5953d68e8}\.ba1\WinPackages.xml C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 unknown 8192 success or wait 1 6BBF1B4F ReadFile f5953d68e8}\.ba1\WinPackages.xml C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 unknown 8192 success or wait 1 6BBF1B4F ReadFile f5953d68e8}\.ba1\WinPackages.xml C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 unknown 8192 success or wait 1 6BBF1B4F ReadFile f5953d68e8}\.ba1\WinPackages.xml C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 unknown 8192 end of file 1 6BBF1B4F ReadFile f5953d68e8}\.ba1\WinPackages.xml C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 unknown 4095 success or wait 1 6CCF3625 unknown f5953d68e8}\.ba1\BootstrapperCore.config C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 unknown 8173 end of file 1 6CCF3625 unknown f5953d68e8}\.ba1\BootstrapperCore.config C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatioae unknown 1252 success or wait 1 6CC5EE1E ReadFile c034ca#\1ac2c381a4249b9c7baebb4c38cc6853\PresentationFramework.Aero2.ni.dll.aux

Registry Activities

Key Created

Source Key Path Completion Count Address Symbol HKEY_LOCAL_MACHINE\SOFTWARE\CommVault Systems success or wait 1 6BBF5F3C RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\CommVault Systems\Galaxy success or wait 1 6BBF5F3C RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\CommVault Systems\Galaxy\Installer success or wait 1 6BBF5F3C RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\CommVault Systems\Galaxy\Installer\Data success or wait 1 6BBF5F3C RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\GalaxyRemoteInstall success or wait 1 6BBF5F3C RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\GalaxyRemoteInstall\Results success or wait 1 6BBF5F3C RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\CommVault Systems\Galaxy\Installer\Steps success or wait 1 6BBF5F3C RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\CommVault Systems\Galaxy\Installer\Steps success or wait 1 6BBF5F3C RegCreateKeyExW

Key Value Created

Source Key Path Name Type Data Completion Count Address Symbol HKEY_LOCAL_MACHINE\SOFTWARE\Co szDefaultLogDir unicode C:\ProgramData\Commvault Syste success or wait 1 6BBF646A RegSetValueExW mmVault Systems\Galaxy\Installer\Data ms\Galaxy\LogFiles\ HKEY_LOCAL_MACHINE\SOFTWARE\Co tempInstallLogDir unicode C:\ProgramData\Commvault Syste success or wait 1 6BBF646A RegSetValueExW mmVault Systems\Galaxy\Installer\Data ms\Galaxy\LogFiles\2019-07-25 04- 53-08 HKEY_LOCAL_MACHINE\SOFTWARE\Co szLogDir unicode C:\ProgramData\Commvault Syste success or wait 1 6BBF646A RegSetValueExW mmVault Systems\Galaxy\Installer\Data ms\Galaxy\LogFiles\2019-07-25 04- 53-08 HKEY_LOCAL_MACHINE\SOFTWARE\Co InstallInstance unicode Instance001 success or wait 1 6BBF646A RegSetValueExW mmVault Systems\Galaxy\Installer\Data

Copyright Joe Security LLC 2019 Page 72 of 74 Source Key Path Name Type Data Completion Count Address Symbol HKEY_LOCAL_MACHINE\SOFTWARE\Co szSourceDir unicode C:\Users\user\Desktop success or wait 1 6BBF646A RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co bBootStrapMode dword 0 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co szInstallerName unicode Setup.exe success or wait 1 6BBF646A RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co szAssemblyDirectory unicode C:\Users\user\AppData\Local\Temp\ success or wait 1 6BBF646A RegSetValueExW mmVault Systems\Galaxy\Installer\Data {1d96cbc4-3dc0-45da-a711-29 f5953d68e8}\.ba1\ HKEY_LOCAL_MACHINE\SOFTWARE\Ga nInstallExitCode dword 1001 success or wait 1 6BBFC075 RegSetValueExW laxyRemoteInstall\Results HKEY_LOCAL_MACHINE\SOFTWARE\Ga nInstallJMStatus dword 0 success or wait 1 6BBFC075 RegSetValueExW laxyRemoteInstall\Results HKEY_LOCAL_MACHINE\SOFTWARE\Co nProcessor dword 3 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co bExchangeTitanium dword 0 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co bExchange2K3 dword 0 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co bExchangeE12 dword 0 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co bExchangeE14 dword 0 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co bExchangeE15 dword 0 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co bExchangeE16 dword 0 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co bLotusDomino50Installed dword 0 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co bLotusDomino60Installed dword 0 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co ProductVersion unicode 11.80.140.0 success or wait 1 6BBF646A RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co szWixBundleProviderKey unicode {1d96cbc4-3dc0-45da-a711-29f59 success or wait 1 6BBF646A RegSetValueExW mmVault Systems\Galaxy\Installer\Data 53d68e8} HKEY_LOCAL_MACHINE\SOFTWARE\Co CompletionDialog unicode Incomplete success or wait 1 6BBF646A RegSetValueExW mmVault Systems\Galaxy\Installer\Steps HKEY_LOCAL_MACHINE\SOFTWARE\Co bPlayMode dword 0 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co bForceReboot dword 0 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co bSilentInstallMode dword 0 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co bCleanUpAndStartOverM dword 0 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data ode HKEY_LOCAL_MACHINE\SOFTWARE\Co nJobId dword 0 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co bDownloadUnixPackages dword 0 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co bDownloadPackages dword 0 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co bPatchingPassiveNode dword 0 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co bDoNotPatchDB dword 0 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co bNoStartSvc dword 0 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co bInstallThirdPartiesOnly dword 0 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co bSetProgressReg dword 0 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co bInstalltypeNewinstall dword 1 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co bStandbyNode dword 0 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co nPlanId dword 0 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co LanguageSelectionViewM unicode Incomplete success or wait 1 6BBF646A RegSetValueExW mmVault Systems\Galaxy\Installer\Steps odel

Code Analysis